Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
M
mailinabox
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
mailinabox
Commits
1f0345fe
Commit
1f0345fe
authored
Nov 30, 2014
by
Joshua Tauberer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
replace Dovecot authentication (formerly an sql query) with a call to our management daemon
parent
7e05d747
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
93 additions
and
16 deletions
+93
-16
dovecot-checkpassword.py
conf/dovecot-checkpassword.py
+53
-0
mail-users.sh
setup/mail-users.sh
+40
-16
No files found.
conf/dovecot-checkpassword.py
0 → 100644
View file @
1f0345fe
#!/usr/bin/python3
#
# This script implement's Dovecot's checkpassword authentication mechanism:
# http://wiki2.dovecot.org/AuthDatabase/CheckPassword?action=show&redirect=PasswordDatabase%2FCheckPassword
#
# This allows us to perform our own password validation, such as for two-factor authentication,
# which Dovecot does not have any native support for.
#
# We will issue an HTTP request to our management server to perform authentication.
import
sys
,
os
,
urllib
.
request
,
base64
,
json
,
traceback
try
:
# Read fd 3 which provides the username and password separated
# by NULLs and two other undocumented/empty fields.
creds
=
b
''
while
True
:
b
=
os
.
read
(
3
,
1024
)
if
len
(
b
)
==
0
:
break
creds
+=
b
email
,
pw
,
dummy
,
dummy
=
creds
.
split
(
b
'
\x00
'
)
# Call the management server's "/me" method with the
# provided credentials
req
=
urllib
.
request
.
Request
(
'http://127.0.0.1:10222/me'
)
req
.
add_header
(
b
'Authorization'
,
b
'Basic '
+
base64
.
b64encode
(
email
+
b
':'
+
pw
))
response
=
urllib
.
request
.
urlopen
(
req
)
# The response is always success and always a JSON object
# indicating the authentication result.
resp
=
response
.
read
()
.
decode
(
'utf8'
)
resp
=
json
.
loads
(
resp
)
if
not
isinstance
(
resp
,
dict
):
raise
ValueError
(
"Response is not a JSON object."
)
except
:
# Handle all exceptions. Print what happens (ends up in syslog, thanks
# to dovecot) and return an exit status that indicates temporary failure,
# which is passed on to the authenticating client.
traceback
.
print_exc
()
print
(
json
.
dumps
(
dict
(
os
.
environ
),
indent
=
2
),
file
=
sys
.
stderr
)
sys
.
exit
(
111
)
if
resp
.
get
(
'status'
)
!=
'authorized'
:
# Indicates login failure.
# (sys.exit should not be inside the try block.)
sys
.
exit
(
1
)
# Signal ok by executing the indicated process, per the Dovecot
# protocol. (Note that the second parameter is the 0th argument
# to the called process, which is required and is typically the
# file itself.)
os
.
execl
(
sys
.
argv
[
1
],
sys
.
argv
[
1
])
setup/mail-users.sh
View file @
1f0345fe
...
...
@@ -26,31 +26,55 @@ fi
# ### User Authentication
#
Have Dovecot query our database, and not system users, for authentication.
sed
-i
"s/#*
\(\!
include auth-system.conf.ext
\)
/#
\1
/"
/etc/dovecot/conf.d/10-auth.conf
sed
-i
"s/#
\(\!
include auth-sql.conf.ext
\)
/
\1
/"
/etc/dovecot/conf.d/10-auth.conf
#
Disable all of the built-in authentication mechanisms. (We formerly uncommented
# a line to include auth-sql.conf.ext but we no longer use that.)
sed
-i
"s/#
*
\(\!
include auth-.*.conf.ext
\)
/#
\1
/"
/etc/dovecot/conf.d/10-auth.conf
# Specify how the database is to be queried for user authentication (passdb)
# and where user mailboxes are stored (userdb).
cat
>
/etc/dovecot/conf.d/auth-sql.conf.ext
<<
EOF
;
# Legacy: Delete our old sql conf files.
rm
-f
/etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
# Specify how Dovecot should perform user authentication (passdb) and how it knows
# where user mailboxes are stored (userdb).
#
# For passwords, we would normally have Dovecot query our mail user database
# directly. The way to do that is commented out below. Instead, in order to
# provide our own authentication framework so we can handle two-factor auth,
# we will use a custom system that hooks into the Mail-in-a-Box management daemon.
#
# The user part of this is standard. The mailbox path and Unix system user are the
# same for all mail users, modulo string substitution for the mailbox path that
# Dovecot handles.
cat
>
/etc/dovecot/conf.d/10-auth-mailinabox.conf
<<
EOF
;
passdb {
driver =
sql
args = /
etc/dovecot/dovecot-sql.conf.ext
driver =
checkpassword
args = /
usr/local/bin/dovecot-checkpassword
}
userdb {
driver = static
args = uid=mail gid=mail home=
$STORAGE_ROOT
/mail/mailboxes/%d/%n
}
EOF
chmod
0600 /etc/dovecot/conf.d/10-auth-mailinabox.conf
# Configure the SQL to query for a user's password.
cat
>
/etc/dovecot/dovecot-sql.conf.ext
<<
EOF
;
driver = sqlite
connect =
$db_path
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';
EOF
chmod
0600 /etc/dovecot/dovecot-sql.conf.ext
# per Dovecot instructions
# Copy dovecot-checkpassword into place.
cp
conf/dovecot-checkpassword.py /usr/local/bin/dovecot-checkpassword
chown
dovecot.dovecot /usr/local/bin/dovecot-checkpassword
chmod
700 /usr/local/bin/dovecot-checkpassword
# If we were having Dovecot query our database directly, which we did
# originally, `/etc/dovecot/conf.d/10-auth-mailinabox.conf` would say:
#
# passdb {
# driver = sql
# args = /etc/dovecot/dovecot-sql.conf.ext
# }
#
# and then `/etc/dovecot/dovecot-sql.conf.ext` (chmod 0600) would contain:
#
# driver = sqlite
# connect = $db_path
# default_pass_scheme = SHA512-CRYPT
# password_query = SELECT email as user, password FROM users WHERE email='%u';
# Have Dovecot provide an authorization service that Postfix can access & use.
cat
>
/etc/dovecot/conf.d/99-local-auth.conf
<<
EOF
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment