Master User

最後更新: 2019-07-31

 


Dovecot-2

Login format:

user@domain*masteruser

Remark

* The users in the master passdb cannot log in as themselves, only as other people. (所以 master user 可以不在 userdb 內)
* 在用 master user 時 ACLs 會有問題 ( 可用 Post-login scripting 解決 )

Configuration2:

# 一定要放在 auth 前, 否則會有
# Dec 27 10:52:44 myserver dovecot: auth(default): plain(?,127.0.0.1): Username contains disallowed character: 0x2a
auth_master_user_separator = *

auth default {
  ...............
  passdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
  userdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
 
# master user:
  passdb passwd-file {
    args = /etc/dovecot/passwd.masterusers

    # 指出這個 passdb 是 master user DB
    master = yes

    # Dovecot verifies that the login user really exists before allowing the master user to log in
    # pass=yes doesn't work with PAM or LDAP
    pass = yes
  }
  ...............
}

Create Master User PW File:

cd /etc/dovecot/

touch passwd.masterusers

chown vmail:vmail passwd.masterusers         # owned by Dovecot daemon user and group

chmod 400 passwd.masterusers

舊方法:

htpasswd  -s  passwd.masterusers  masteruser  password

cat passwd.masterusers

masteruser:{SHA1}nU4eI71?????qeO0t9tXvY1u5oQ=

新方法:

doveadm pw -s SSHA512

Debug:

mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

Remark

要有 auth_verbose = yes 才可以 log 到有人用 master Login (不論 login 成功與否)

Dec 27 10:58:26 myserver dovecot: auth(default): passwd-file(postmaster,127.0.0.1,master): lookup: user=masteruser file=/etc/dovecot/passwd.masterusers
Dec 27 10:58:26 myserver dovecot: auth(default): passdb(postmaster,127.0.0.1,master): Master user logging in as test@myserver.com.hk

一般 login 錯只見:

Dec 27 11:04:32 myserver dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<masteruser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

 


Multiple Authentication Databases

 

* if the password doesn't match in the first database, it checks the next one

e.g.

auth default {

  # try to authenticate using SQL database first
  passdb sql {
    args = /etc/dovecot-sql.conf
  }
 
  # fallback to PAM
  passdb pam {
  }

  # look up users from SQL first (even if authentication was done using PAM!)
  userdb sql {
    args = /etc/dovecot-sql.conf
  }
 
  # if not found, fallback to /etc/passwd
  userdb passwd {
  }
}

 * Currently the fallback works only with the PLAIN authentication mechanism.
 

 

 


Dovecot-1

 

 

 


DOC

    Dovecot-2: http://wiki2.dovecot.org/Authentication/MasterUsers
    Dovecot-1: http://wiki1.dovecot.org/Authentication/MasterUsers