06 July 2009

Dovecot gotchas

A few days ago, the EECS IT staff sent a series of cryptic emails alluding to a recent "security incident." As far as I could tell, someone had a bad password, some baddie's SSH-bot discovered it, said baddie then logged in to discover that they were on a machine with a r00table system, which they then proceeded to r00t. Unfortunately, this was one of the EECS login servers.

I usually use SSH pubkey auth, but I wasn't 100% certain that I had never typed my passwords on an EECS machine that might have had a keylogger installed, so I decided to change them all. At the same time, I thought I might as well fix a long-standing issue with my system: to log into IMAP via SquirrelMail (if I happened to be behind a fascist firewall or a connection too slow for SSH), I had to enter my actual password. Sure, I was using SSL, but it was with a self-signed certificate for which I didn't always have the fingerprint to hand.

So, after reading the wiki (http://wiki.dovecot.org/AuthDatabase/PasswdFile), I thought I'd just comment out the stanza that used PAM for passwords in /etc/dovecot/dovecot.conf and replace it with:

passdb passwd-file {
args = scheme=plain username_format=%n /etc/imap.passwd
}
I populated the /etc/imap.passwd file as described, with

foo:{plain}mypasswd

(You might be sniffing about the use of plaintext passwords. The password has to go in plaintext in my ~/.muttrc anyway, so I didn't care. And anyone who can read the /etc/imap.passwd file or the ~/.muttrc file could also just read the darn emails in ~/Maildir).

But that didn't work, of course. After setting "auth_debug = yes" and "auth_debug_passwords = yes" in /etc/dovecot/dovecot.conf, I noticed lines like these in the logs:


dovecot: 2009-07-06 07:43:55 Info: auth(default): passwd-file(foo,127.0.0.1): no passwd file: scheme=plain username_format=foo /etc/imap-passwd

Googling that wasn't enormously enlightening, so I tried running strace

# strace -f -o /tmp/st /usr/sbin/dovecot -F

Be sure to include the -f, or you won't catch the login process. The strace logs indicated that dovecot was failing to find a file called "scheme=plain username_format=foo /etc/imap-passwd". Apparently, options weren't supported in whatever version of Dovecot Debian supplied. I've since upgraded to the latest version that Debian provides, but I haven't felt the urge to check if those options are now supported -- I cut back the stanza to this, and it just worked:

passdb passwd-file {
args = /etc/imap-passwd
}

One bonus tip. While I was messing around with dovecot.conf, I changed the userdb as well. It used to point to the standard password file; I changed it to /etc/imap-passwd, as well, for simplicity's sake. The wiki page suggested that this was possible:

userdb passwd-file {
args = /etc/imap-passwd
}


Then I started getting log messages like this

dovecot: 2009-07-06 07:51:20 Error: user foo: Logins with UID 0 not permitted

I didn't bother to investigate this -- I just switched back to using /etc/passwd -- but my guess is that since I didn't specify the UID in the /etc/imap-passwd file, Dovecot assumed that it was 0. Oops.

No comments:

Post a Comment

Blog Archive

About Me

blog at barillari dot org Older posts at http://barillari.org/blog