Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Dovecot PassDB should restrict allowed auth mechanisms 

This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban.

Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used.
This commit is contained in:
polarathene 2024-01-23 17:47:26 +13:00
parent 315f33c9fe
commit 80809c67ad
4 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
target/dovecot/auth-ldap.conf.ext Normal file
View File

@ -0,0 +1,21 @@
# NOTE: This is effectively the same default LDAP config shipped by Dovecot
# The only difference is the addition of the passdb mechanisms field,
# which restricts what auth mechanisms are supported / expected.
# This prevents unnecessary auth failure logs triggering Fail2Ban when
# additional passdb are enabled (OAuth2).
passdb {
driver = ldap
mechanism = plain login
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}

7
target/dovecot/auth-oauth2.conf.ext
View File

@ -1,5 +1,12 @@
# Allow clients to use these additional mechanisms:
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB:
# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database
# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here:
# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms
# However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`).
passdb { passdb {
driver = oauth2 driver = oauth2
mechanisms = xoauth2 oauthbearer mechanisms = xoauth2 oauthbearer

1
target/dovecot/auth-passwdfile.inc
View File

@ -9,6 +9,7 @@
passdb { passdb {
driver = passwd-file driver = passwd-file
mechanisms = plain login
args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
} }

4
test/tests/serial/mail_with_oauth2.bats
View File

@ -75,4 +75,8 @@ function __verify_successful_login() {
_run_in_container grep 'dovecot:' /var/log/mail.log _run_in_container grep 'dovecot:' /var/log/mail.log
refute_output --partial 'oauth2 failed: Introspection failed' refute_output --partial 'oauth2 failed: Introspection failed'
assert_output --partial "dovecot: imap-login: Login: user=<user1@localhost.localdomain>, method=${AUTH_METHOD}" assert_output --partial "dovecot: imap-login: Login: user=<user1@localhost.localdomain>, method=${AUTH_METHOD}"
# If another PassDB is enabled, it should not have been attempted with the XOAUTH2 / OAUTHBEARER mechanisms:
# dovecot: auth: passwd-file(john.doe@example.test,127.0.0.1): Password mismatch (SHA1 of given password: d390c1) - trying the next passdb
refute_output --partial 'trying the next passdb'
} }