Postfix : root and system user authentication

Tue, 14 Mar 2023 15:46:06 -0700 


Hello everyone,
From what I understand of the documentation, it is impossible to
log in to the dovecot server as root, or as any user not in the interval between first_valid_uid and last_valid_uid. 

I have been able to verify this.
However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL according to the configuration described at https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/, we can indeed log in as root on the postfix server. 

Proof (/var/log/mail.log with auth=debug) :
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=<redacted>#011rip=<redacted>#011secured#011resp=<hidden> Mar 13 20:16:37 ricorambo dovecot: auth: Debug: pam(root,<redacted>): Performing passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): Server accepted connection (fd=13) Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): Sending version handshake Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: Handling PASSV request Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): Performing passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): lookup service=dovecot Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): #1/1 style=1 msg=Password: Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): Finished passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: Finished Mar 13 20:16:37 ricorambo dovecot: auth: Debug: pam(root,<redacted>): Finished passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth: Debug: auth(root,<redacted>): Auth request finished Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client passdb out: OK#0111#011user=root#011
At this moment, the smtps client connecting to postfix produces "Authentication successful" and we can continue.
In contrast, when we try to login to dovecot directly as root, we have the following :
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=<redacted>#011lip=<redacted>#011rip=<redacted>#011lport=993#011rport=52004#011local_name=mail.ricorambo.su#011resp=<hidden> Mar 13 20:28:38 ricorambo dovecot: auth: Debug: pam(root,<redacted>,<redacted>): Performing passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): Server accepted connection (fd=13) Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): Sending version handshake Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: Handling PASSV request Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): Performing passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): lookup service=dovecot Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): #1/1 style=1 msg=Password: Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): Finished passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: Finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: pam(root,<redacted>,<eU8pHs32JMuE40wF>): Finished passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth: Debug: auth(root,<redacted>,<eU8pHs32JMuE40wF>): Auth request finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client passdb out: OK#0111#011user=root#011#011original_user=r...@ricorambo.su Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master in: REQUEST#<redacted> Mar 13 20:28:38 ricorambo dovecot: auth: Debug: passwd(root,<redacted>,<redacted>): Performing userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: Handling USER request Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): Performing userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): Finished userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: Finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: passwd(root,<redacted>,<redacted>): Finished userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master userdb out: USER#<redacted> Mar 13 20:28:38 ricorambo dovecot: imap-login: Login: user=<root>, method=PLAIN, rip=<redacted>, lip=192.168.1.22, mpid=137090, TLS, session=<redacted> Mar 13 20:28:38 ricorambo dovecot: imap(root): Error: Invalid settings in userdb: userdb returned 0 as uid Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event 0xaaab0e9db2a0 leaked (parent=0xaaab0e9cdc80): mail-storage-service.c:1336 Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event 0xaaab0e9cdc80 leaked (parent=(nil)): main.c:246
At this moment, the imap client produces "Internal server error" and finishes. 

Steps to reproduce :
- Delegate SASL authentication from postfix to dovecot as such :

/etc/postfix/master.cf

smtps     inet  n       -       y       -       -       smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth

and of course :

/etc/dovecot/conf.d/10-master.conf

 unix_listener /var/spool/postfix/private/auth {
  mode = 0660
  user = postfix
  group = postfix
 }

- login to your server, port 465, with a client like openssl :

openssl s_client -connect mail.example.org:465

EHLO whateveryouwant

AUTH PLAIN \0root\0password (in base 64, ofc)
You should be able to login, and produce the first log trace I have included.
My question is, is this a feature or a bug ? The hardcoded impossibility to login as root to dovecot, and the honouring of the variables {first,last}_valid_{u,g}id, are those specific to login to dovecot directly, or should they be applicable to any other process that has delegated its authentication to dovecot ?
If this is a feature, that is if postfix cannot profit from the variables {first,last}_valid_{u,g}id (or the hardcoded forbidding of root) through dovecot sasl : - This should maybe made more obvious somewhere in the documentation. - What would be the good way to prevent root login to postfix, when authentication is delegated to dovecot ? 

The dovecot version is 2.3.13 (89f716dc2)
The system is the following : Linux 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux
Thank you in advance for your time. I have included the output of dovecot -n for reference. 

Best regards,

Aymeric

Attachment: dovecot-report.conf
Description: Binary data

Reply via email to