Re: dovecot passdb driver=checkpassword as external script for block ip
> On 17 Oct 2018, at 20.09, bes wrote:
>
> Refer to
> https://dovecot.org/pipermail/dovecot/2015-March/099971.html
> https://wiki.dovecot.org/PasswordDatabase
> I tried to repeat the same thing.
> Set these passdb:
>
> passdb {
> args = /myscript.sh ip=%r
> driver = checkpassword
> result_failure = return-fail
> result_success = continue
> }
> passdb {
> args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
> driver = sql
> }
>
> Created executable /myscript.sh:
> #!/bin/sh
> exit 1
While I'm not sure why this does not work I'm was wondering if a deny-passdb
would be more
efficient to implement this blacklisting as executing a script on each login
attempt is awfully slow.
Instead I would do something like this:
# check deny passwd for ip address first
passdb {
driver = passwd-file
args = username_format=%r /etc/dovecot/ip-deny-list
deny = yes
auth_verbose = no
result_success = return-fail
}
and then just create /etc/dovecot/ip-deny-list with one ip address per line.
Sami
Re: dovecot passdb driver=checkpassword as external script for block ip
After some debuging i expain that this happens only when the client
authentication method is CRAM-MD5
dovecot[5553]: auth: Debug:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): execute:
/myscript.sh ip=192.168.99.128
/usr/libexec/dovecot/checkpassword-reply
dovecot[5553]: auth: Error:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Child 7810
exited with status 1
dovecot[5553]: auth-worker(7811): Debug: Loading modules from
directory: /usr/lib/dovecot/auth
dovecot[5553]: auth-worker(7811): Debug: Module loaded:
/usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Generating CRAM-MD5 from
user 'login', password 'pass'
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Credentials:
39d6bc889c65808c09b87d2081fe2aff4fd1e174ed3a97ac966e67323cba8d7e
dovecot[5553]: auth: Debug: client passdb out: OK 1 user=login
Any other method works correctly and return:
auth: Debug: . execute: /myscript.sh
..
auth: checkpassword(login,ip,): Login failed (status=1)
..
auth: Debug: client passdb out: FAIL1 user=login
On Wed, Oct 17, 2018 at 8:09 PM bes wrote:
>
> Refer to
> https://dovecot.org/pipermail/dovecot/2015-March/099971.html
> https://wiki.dovecot.org/PasswordDatabase
> I tried to repeat the same thing.
> Set these passdb:
>
> passdb {
> args = /myscript.sh ip=%r
> driver = checkpassword
> result_failure = return-fail
> result_success = continue
> }
> passdb {
> args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
> driver = sql
> }
>
> Created executable /myscript.sh:
> #!/bin/sh
> exit 1
>
> But I saw in the logs:
>
> dovecot[15111]: auth: Error:
> checkpassword(techd...@nestormedia.com,192.168.99.128,):
> Child 15115 exited with status 1
> dovecot[18016]: imap-login: Login: user=[successful login]
>
> Why result_failure=return-fail from first passdb does not work?
dovecot passdb driver=checkpassword as external script for block ip
Refer to
https://dovecot.org/pipermail/dovecot/2015-March/099971.html
https://wiki.dovecot.org/PasswordDatabase
I tried to repeat the same thing.
Set these passdb:
passdb {
args = /myscript.sh ip=%r
driver = checkpassword
result_failure = return-fail
result_success = continue
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
driver = sql
}
Created executable /myscript.sh:
#!/bin/sh
exit 1
But I saw in the logs:
dovecot[15111]: auth: Error:
checkpassword(techd...@nestormedia.com,192.168.99.128,):
Child 15115 exited with status 1
dovecot[18016]: imap-login: Login: user=[successful login]
Why result_failure=return-fail from first passdb does not work?
