| View previous topic :: View next topic |
| Author |
Message |
miket
Guru
Joined: 28 Apr 2007
Posts: 489
Location: Gainesville, FL, USA
|
 Posted: Mon Nov 27, 2023 5:39 pm Post subject: Dovecot wants to run the show |
 |
|
I've been following the Complete Virtual Mail Server guide on the Gentoo Wiki. I've had to figure my way around several papercuts, but now I've reached one where I'm looking for suggestions as to which way to proceed.
Early in the process comes the instruction to set up Postfixadmin to manage a database that Postfix can query. That database contains a password column. Great, I thought! When yet-to-be configured components need to authenticate users, this is where they'd come.
Ah, but no. It's Dovecot that rules the show. That password column does store a password hash, but it follows Dovecot rules. It sure seemed bizarre to me that Dovecot would query the database for the password hash, extract the name of the hash function and salt from that, and do its own checking for the hash. Fair enough that IMAP clients, including Roundcube, would authenticate with Dovecot and not the database, but this made for an odd situation: when I used the configuration the guide indicated for setting up Dovecot's authentication mechanism, Postfixadmin could not generate password hashes that Dovecot would accept. This also meant that I could not set up Roundcube's plugin to let users change their own passwords.
The thing that let me go on with testing Dovecot's login (and further steps like the Let's Encrypt certificates, Roundcube, SMTP authentication) was to generate a hash by hand using doveadm so I could update the password column.
Now to make it work without manual intervention. I tried setting the 'encrypt' key in Postfixadmin's config.local.php file to 'dovecot:MD5-CRYPT' so it would use doveadm to generate the hash, but Postfixadmin barfed when I tried that. Here's why: doveadm wants to open the socket /run/dovecot/stats-writer (yet it doesn't seem to write anything as far as I can see), but if your user (apache in this case) has no permissions on the socket, you get an error message. The return code is still 0, but Postfixadmin treats it as an error because stderr from the call to doveadm has non-zero length.
So one way out of the problem would be to patch Postfixadmin to ignore what was written to stderr when the return code is zero. This is suboptimal for several reasons.
At this point some people on line suggest adjusting the permissions so that the intended user could write to that socket--say by putting Apache in the dovecot group--but I thought that the point of Dovecot was to enhance security, not weaken it. A writer in the Gentoo Forums a few years ago had a better take: set up a sudo rule to let the apache user execute sudo doveadm pw.
Others have talked about munging Dovecot hashes in PHP (including unsalted hashes), but this runs up against a different problem: Dovecot has changed its mind before and could do so again. I've read about authentication problems people have had with Dovecot updates.
If I had my druthers, the authority for the generating password hashes and checking their validity would reside in the database. This means using stored procedures both to hash passwords and to check user credentials. Only the owner of those procedures should have grants on the password table: I'd want to make it hard to pilfer my password hashes.
(I see that there is indeed a reason Dovecot might want to fetch from the password column of the database: it has to be able to deal with client-hashed passwords sent when the IMAP connection is not encrypted. Since I require that IMAP connections use TLS, I can happy accept SASL cleartext passwords--and don't need Dovecot to make hash.)
Configuring Dovecot to make such a change seems to be a matter of setting the stored procedure to return a row with password == NULL and nopassword == 'Y' when the credentials match and an empty row if not (Password verification by SQL server). Letting Roundcube set passwords now can avoid the hassle of setting up the execution of doveadm using proc_open. The problem is now Posfixadmin: I can't see how to make the change without patching the code.
A compromise to allow everything to remain unpatched (and also relieve me of the need to write the stored procedures) would be have PHP (whether Postfixadmin or the Roundcube plugin) generate passwords and store them in the password column. At this rate the hashes aren't as hidden, but at least they would not show up in any of the normal result sets from the database.
So does anyone have a suggestion about the best way to go? |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3203
|
| Posted: Mon Nov 27, 2023 8:01 pm Post subject: |
|
|
Do you have a link to the specific guide you're using?
What is the part you actually have a problem with?
I'm using postfix + dovecot + mysql and a locally installed mail client. Database stores password hashes and mailbox-alias mapping, dovecot authenticates users, in case of mail submisison postfix defers to dovecot's verdict (via a unix socket)
I haven't used roundcube, but I think it's a webmail using regular imap + smtp client just like squirrelmail does, and probably should be treated just like any other mail client. Like in: The server-side config (postfix, dovecot and sql) shouldn't need any special tricks to enable it. |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 489
Location: Gainesville, FL, USA
|
| Posted: Tue Nov 28, 2023 4:17 am Post subject: |
|
|
| szatox wrote: | Do you have a link to the specific guide you're using?
What is the part you actually have a problem with? |
The guide is Complete Virtual Mail Server. It uses Postfixadmin to manage the database tables for mailboxes and aliases, plus Postfix with queries in to the database, Dovecot with other queries to the database, Cyrus-SASL (not yet configured) listening on a Unix socket, Roundcube for webmail (yes, SMTP and IMAP), plus other components not yet configured.
The hangup is that the nifty mailbox-administration tool Postfixadmin is not generating password hashes in a way that Dovecot accepts. The guide does not indicate using an encryption method other than the default, which it calls md5crypt. As a sample, this is a hash Postfixadmin generates for the throwaway password 'testit12': $1$c9809462$PkPss61.ruH84EvyuqF9k.
The guide's section on Dovecot has these settings for /etc/dovecot/dovecot-sql.conf.ext: | Code: | driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=secret
default_pass_scheme = CRYPT
password_query = \
SELECT local_part AS username, domain, password FROM mailbox WHERE local_part = '%n' AND domain = '%d'
user_query = \
SELECT local_part AS user, CONCAT('/var/vmail/',maildir) AS home FROM mailbox WHERE local_part = '%n' AND domain = '%d' |
Since I, like you, am using mysql, I simply substitute "mysql" for "pgsql" in the above. Except for the connect= string, all the rest is the same since none of this touches an area where mysql and postgres differ.
So now the only surefire way I know to generate a hash Dovecot will like is to use doveadm pw to make it. Using my same example password, the CRYPT method results in the hash {CRYPT}$2y$05$80fo.E39QK7CxboY5xrO7eOwdd68Xutu.tWEWKwAxIwM2JbaTEqji
Switching to a hash that is more adjacent to Postfixadmin's md5crypt gives {MD5-CRYPT}$1$cYhUzJRJ$JhHrjuRS29IaLk9JknR/e0
So if I were content with doing the hash generation and the MySQL operation by hand every time, I'd be set. The trouble is that I want users to be able to set their own passwords and for the mailbox administrator also to be able to set passwords.
This sums up the options I've identified:
- use sudo doveadm pw to generate hashes in Postfixadmin and Roundcube. This would require setting a good bit of scaffolding code in Roundcube's password plugin
- play more with PHP solutions to generate Dovecot-friendly hashes. The only one that looks just a bit promising is sha512.b64, but I'm not perfectly sure it uses the set of base64 symbols that Dovecot expects.
- move hash generation and credential generation to the database via stored procedures--entailing a patch to Postfixadmin code
- let Postfixadmin generate and store hashes using one of its native methods (works only if MySQL can also validate such hashes via a single SELECT statement)
---
After getting this far I've come to a cut-to-the-chase moment. I didn't come to this point before having made a number of search-engine queries involving Postfixadmin and Dovecot. Those came up to a lot of links that I thought offered iffy solutions. While looking through the Postfixadmin repo I found a documentation page for just this case. Their solution: use doveadm pm after adding the dovecot group to the web user. Damn if I'm going to do that last part--I'll use sudo to narrow the access the web user will get.
It's still not a method I'm super-thrilled about, but I could make it happen. Do you have a better idea? |
|
| Back to top |
|
|
C5ace
Guru
Joined: 23 Dec 2013
Posts: 475
Location: Brisbane, Australia
|
| Posted: Tue Nov 28, 2023 11:06 am Post subject: |
|
|
miket:
Have a lock at the manual, installation instructions and source of "ISPConfig"
www.ispconfig.org
They use Dovecot, Postix and mariadb /mysql.
The installer (ISPConfig-3.2.11p1.tar.gz) contains a unmaintained setup script "/ispconfig3_install/helper_scripts/gentoo_setup.sh" and various Gentoo related php scripts.
I run since many years a mail and web server using ISPconfig on a Debian VM. Never had to use Postfixadmin.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3203
|
| Posted: Tue Nov 28, 2023 12:09 pm Post subject: |
|
|
| Quote: | | Postfix with queries in to the database, Dovecot with other queries to the database, Cyrus-SASL (not yet configured) listening on a Unix socket, |
First, dovecot and cyrus do the same thing, you're not supposed to use them together, so just have dovecot act as the sasl provider. It it capable of providing a socket for that. In fact, you may have already configured that.
Second, possible workaround to permissions:
| Quote: | doveadm -c /dev/null pw -p pass -s SHA512-CRYPT -u myuser -r 999999
Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied
{SHA512-CRYPT}$6$rounds=999999$namQRnMTwPNPGnoz$.iYBUTsiEICw40g6R1H4N5pDbQvH6ojyDKgT7PKimGDlKafHPwVokB.613i4Ti0UATTI/HKB6jXEpu2mR56Vd1
|
Doveadm wants to read dovecot's config file, even though it doesn't need it to generate a hash.
It does print an error message, but I still got a result, so maybe simply discarding stderr would be good enough. |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 489
Location: Gainesville, FL, USA
|
| Posted: Tue Nov 28, 2023 6:21 pm Post subject: |
|
|
| C5ace wrote: | Have a lock at the manual, installation instructions and source of "ISPConfig"
www.ispconfig.org |
My, that beast sure does a lot. I took a look at the demo for the administrator module and checked out its many functions--but stopped to shudder at how many knobs the program has and hence all the hooks I'd have to configure. I've already made some custom scripts I'm happy with, including for TLS-certificate renewal and configuration of Apache virtual hosts.
The basic reason I went to Linode and not the provider I've been using for years was to be able to use Gentoo and know where everything is. If I had to stick with Debian or Alma (the more commonly available CentOS successor), I'd sure look into ISPConfig. I'm afraid, though, that its 13-year-old Gentoo setup script would need too much updating to be worth the trouble. |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 489
Location: Gainesville, FL, USA
|
| Posted: Tue Nov 28, 2023 6:23 pm Post subject: |
|
|
| szatox wrote: | | Quote: | | Postfix with queries in to the database, Dovecot with other queries to the database, Cyrus-SASL (not yet configured) listening on a Unix socket, |
First, dovecot and cyrus do the same thing, you're not supposed to use them together, so just have dovecot act as the sasl provider. It it capable of providing a socket for that. In fact, you may have already configured that. |
Oh my. Score another papercut for the guide! It strongly recommends enabling the sasl USE flag, which makes mail-mta/postfix bring in cyrus-sasl as a dependency. I see that the correct route is to use the dovecot-sasl USE flag instead. Good catch!
| szatox wrote: | Second, possible workaround to permissions:
| Quote: | doveadm -c /dev/null pw -p pass -s SHA512-CRYPT -u myuser -r 999999
Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied
{SHA512-CRYPT}$6$rounds=999999$namQRnMTwPNPGnoz$.iYBUTsiEICw40g6R1H4N5pDbQvH6ojyDKgT7PKimGDlKafHPwVokB.613i4Ti0UATTI/HKB6jXEpu2mR56Vd1
|
Doveadm wants to read dovecot's config file, even though it doesn't need it to generate a hash.
It does print an error message, but I still got a result, so maybe simply discarding stderr would be good enough. |
As I noted in my first post, making Postfixadmin ignore the error message would mean patching the program. It's not a huge patch, but making it would likely make for maintenance woes in the future. I could make a patch and send it upstream, but since they already document a different way to avoid the problem, I suspect they would reject the patch. My sudo workaround avoids both patching the code and granting overwide access to the dovecot group.
There's no getting around making a patch for Roundcube's password plugin, though. I've already checked out the Git repo. Funny thing: among the many hooks available in that plugin, there's one for Dovecot password files. All I need is a mashup between that and the plugin's SQL hook. |
|
| Back to top |
|
|
C5ace
Guru
Joined: 23 Dec 2013
Posts: 475
Location: Brisbane, Australia
|
| Posted: Wed Nov 29, 2023 2:56 am Post subject: |
|
|
| miket wrote: | | C5ace wrote: | Have a lock at the manual, installation instructions and source of "ISPConfig"
www.ispconfig.org |
My, that beast sure does a lot. I took a look at the demo for the administrator module and checked out its many functions--but stopped to shudder at how many knobs the program has and hence all the hooks I'd have to configure. I've already made some custom scripts I'm happy with, including for TLS-certificate renewal and configuration of Apache virtual hosts.
The basic reason I went to Linode and not the provider I've been using for years was to be able to use Gentoo and know where everything is. If I had to stick with Debian or Alma (the more commonly available CentOS successor), I'd sure look into ISPConfig. I'm afraid, though, that its 13-year-old Gentoo setup script would need too much updating to be worth the trouble. |
This may be of interest if you wan to run a mail server on Gentoo:
https://www.howtoforge.com/build-a-free-full-featured-mail-server-on-gentoo-linux-with-iredmail
I used gentoo/iredmail as mail server in VirtualBox for some time before I switched to debian/ispconfig.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
