[Dovecot] Clash between multiple authentication databases (security problem?)

dovecot-ri dovecot-ri at scientician.org
Thu Feb 2 19:24:27 EET 2006 

Hi all,

I just installed dovecot-1.0_beta2 and love it!  However, I've run into issues using multiple authentication databases.

I use both pam (for users on my system) and sql (for virtual users).  I've noticed that if I have system user "userabc" and virtual user "userabc at otherdomain.com" (two distinct users) and my "auth default" section contains these passdb/userdb entries in this order (the order in the example config):

  passdb pam
  passdb sql
  userdb pam
  userdb sql

then when userabc at otherdomain.com logs in, he'll get the system user userabc's mail instead of his own.  It appears that the sql password check succeeds, then Dovecot grabs the home directory from pam, NOT sql.

I can work around this by setting up "userdb prefetch" and adding that section *before* "userdb pam".  If I put "userdb prefetch" after "userdb pam" or after "userdb sql", then Dovecot doesn't actually do the prefetch (which causes an error since Dovecot issues the default SQL query for "user_query", which my MySQL database doesn't like).

Is there a safer way to do this?  If not, should there be?

Thanks!
Richard

======================================================
complete working dovecot.conf:
======================================================
first_valid_uid = 900
mail_debug = yes
default_mail_env = maildir:%h/.maildir 
maildir_copy_with_hardlinks = yes
protocol imap {
  login_greeting_capability = yes
}
protocol pop3 {
}
auth_debug = yes
auth default {
  mechanisms = plain
  passdb pam {
    args = "*"
  }
  passdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
  userdb prefetch {
  }
  userdb passwd {
  }
  userdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
  user = root
}

======================================================
dovecot-sql.conf:
======================================================
driver = mysql
connect = host=/var/run/mysqld/mysqld.sock user=mail password=** dbname=mail
default_pass_scheme = SSHA
password_query = <query that returns user, password, userdb_home, userdb_uid, userdb_gid>

More information about the dovecot mailing list