# Number of seconds to delay before replying to failed authentications.
#auth_failure_delay = 2
-auth default {
- # Space separated list of wanted authentication mechanisms:
- # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
- # gss-spnego
- # NOTE: See also disable_plaintext_auth setting.
- auth_mechanisms = plain
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+# Take the username from client's SSL certificate, using
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName.
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+# gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# By adding master=yes setting inside a passdb you make the passdb a list
+# of "master users", who can log in as anyone else. Unless you're using PAM,
+# you probably still want the destination user to be looked up from passdb
+# that it really exists. This can be done by adding pass=yes setting to the
+# master passdb. <doc/wiki/Authentication.MasterUsers.txt>
+
+# Users can be temporarily disabled by adding a passdb with deny=yes.
+# If the user is found from that database, authentication will fail.
+# The deny passdb should always be specified before others, so it gets
+# checked first. Here's an example:
+
+#passdb passwd-file {
+ # File contains a list of usernames, one per line
+ #args = /etc/dovecot.deny
+ #deny = yes
+#}
+
+# PAM authentication. Preferred nowadays by most systems.
+# Note that PAM can only be used to verify if user's password is correct,
+# so it can't be used as userdb. If you don't want to use a separate user
+# database (passwd usually), you can use static userdb.
+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
+passdb pam {
+ # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
+ # [cache_key=<key>] [<service name>]
+ #
+ # session=yes makes Dovecot open and immediately close PAM session. Some
+ # PAM plugins need this to work, such as pam_mkhomedir.
+ #
+ # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
+ # need that. They aren't ever deleted though, so this isn't enabled by
+ # default.
#
- # Password database is used to verify user's password (and nothing more).
- # You can have multiple passdbs and userdbs. This is useful if you want to
- # allow both system users (/etc/passwd) and virtual users to login without
- # duplicating the system users into virtual database.
+ # max_requests specifies how many PAM lookups to do in one process before
+ # recreating the process. The default is 100, because many PAM plugins
+ # leak memory.
#
- # <doc/wiki/PasswordDatabase.txt>
+ # cache_key can be used to enable authentication caching for PAM
+ # (auth_cache_size also needs to be set). It isn't enabled by default
+ # because PAM modules can do all kinds of checks besides checking password,
+ # such as checking IP address. Dovecot can't know about these checks
+ # without some help. cache_key is simply a list of variables (see
+ # doc/wiki/Variables.txt) which must match for the cached data to be used.
+ # Here are some examples:
+ # %u - Username must match. Probably sufficient for most uses.
+ # %u%r - Username and remote IP address must match.
+ # %u%s - Username and service (ie. IMAP, POP3) must match.
+ #
+ # The service name can contain variables, for example %Ls expands to
+ # pop3 or imap.
#
- # By adding master=yes setting inside a passdb you make the passdb a list
- # of "master users", who can log in as anyone else. Unless you're using PAM,
- # you probably still want the destination user to be looked up from passdb
- # that it really exists. This can be done by adding pass=yes setting to the
- # master passdb. <doc/wiki/Authentication.MasterUsers.txt>
-
- # Users can be temporarily disabled by adding a passdb with deny=yes.
- # If the user is found from that database, authentication will fail.
- # The deny passdb should always be specified before others, so it gets
- # checked first. Here's an example:
-
- #passdb passwd-file {
- # File contains a list of usernames, one per line
- #args = /etc/dovecot.deny
- #deny = yes
- #}
-
- # PAM authentication. Preferred nowadays by most systems.
- # Note that PAM can only be used to verify if user's password is correct,
- # so it can't be used as userdb. If you don't want to use a separate user
- # database (passwd usually), you can use static userdb.
- # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
- # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
- passdb pam {
- # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
- # [cache_key=<key>] [<service name>]
- #
- # session=yes makes Dovecot open and immediately close PAM session. Some
- # PAM plugins need this to work, such as pam_mkhomedir.
- #
- # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
- # need that. They aren't ever deleted though, so this isn't enabled by
- # default.
- #
- # max_requests specifies how many PAM lookups to do in one process before
- # recreating the process. The default is 100, because many PAM plugins
- # leak memory.
- #
- # cache_key can be used to enable authentication caching for PAM
- # (auth_cache_size also needs to be set). It isn't enabled by default
- # because PAM modules can do all kinds of checks besides checking password,
- # such as checking IP address. Dovecot can't know about these checks
- # without some help. cache_key is simply a list of variables (see
- # doc/wiki/Variables.txt) which must match for the cached data to be used.
- # Here are some examples:
- # %u - Username must match. Probably sufficient for most uses.
- # %u%r - Username and remote IP address must match.
- # %u%s - Username and service (ie. IMAP, POP3) must match.
- #
- # The service name can contain variables, for example %Ls expands to
- # pop3 or imap.
- #
- # Some examples:
- # args = session=yes %Ls
- # args = cache_key=%u dovecot
- #args = dovecot
- }
-
- # System users (NSS, /etc/passwd, or similiar)
- # In many systems nowadays this uses Name Service Switch, which is
- # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
- #passdb passwd {
- # [blocking=yes] - See userdb passwd for explanation
- #args =
- #}
-
- # Shadow passwords for system users (NSS, /etc/shadow or similiar).
- # Deprecated by PAM nowadays.
- # <doc/wiki/PasswordDatabase.Shadow.txt>
- #passdb shadow {
- # [blocking=yes] - See userdb passwd for explanation
- #args =
- #}
-
- # PAM-like authentication for OpenBSD.
- # <doc/wiki/PasswordDatabase.BSDAuth.txt>
- #passdb bsdauth {
- # [cache_key=<key>] - See cache_key in PAM for explanation.
- #args =
- #}
-
- # passwd-like file with specified location
- # <doc/wiki/AuthDatabase.PasswdFile.txt>
- #passdb passwd-file {
- # [scheme=<default password scheme>] [username_format=<format>]
- # <Path for passwd-file>
- #args =
- #}
-
- # checkpassword executable authentication
- # NOTE: You will probably want to use "userdb prefetch" with this.
- # <doc/wiki/AuthDatabase.CheckPassword.txt>
- #passdb checkpassword {
- # Path for checkpassword binary
- #args =
- #}
-
- # SQL database <doc/wiki/AuthDatabase.SQL.txt>
- #passdb sql {
- # Path for SQL configuration file, see doc/dovecot-sql-example.conf
- #args =
- #}
-
- # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
- #passdb ldap {
- # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
- #args =
- #}
-
- # vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
- #passdb vpopmail {
- # [cache_key=<key>] - See cache_key in PAM for explanation.
- # [quota_template=<template>] - %q expands to Maildir++ quota
- # (eg. quota_template=quota_rule=*:backend=%q)
- #args =
- #}
+ # Some examples:
+ # args = session=yes %Ls
+ # args = cache_key=%u dovecot
+ #args = dovecot
+}
+
+# System users (NSS, /etc/passwd, or similiar)
+# In many systems nowadays this uses Name Service Switch, which is
+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
+#passdb passwd {
+ # [blocking=yes] - See userdb passwd for explanation
+ #args =
+#}
+
+# Shadow passwords for system users (NSS, /etc/shadow or similiar).
+# Deprecated by PAM nowadays.
+# <doc/wiki/PasswordDatabase.Shadow.txt>
+#passdb shadow {
+ # [blocking=yes] - See userdb passwd for explanation
+ #args =
+#}
+
+# PAM-like authentication for OpenBSD.
+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
+#passdb bsdauth {
+ # [cache_key=<key>] - See cache_key in PAM for explanation.
+ #args =
+#}
+
+# passwd-like file with specified location
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+#passdb passwd-file {
+ # [scheme=<default password scheme>] [username_format=<format>]
+ # <Path for passwd-file>
+ #args =
+#}
+
+# checkpassword executable authentication
+# NOTE: You will probably want to use "userdb prefetch" with this.
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+#passdb checkpassword {
+ # Path for checkpassword binary
+ #args =
+#}
+
+# SQL database <doc/wiki/AuthDatabase.SQL.txt>
+#passdb sql {
+ # Path for SQL configuration file, see doc/dovecot-sql-example.conf
+ #args =
+#}
+
+# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
+#passdb ldap {
+ # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
+ #args =
+#}
+# vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
+#passdb vpopmail {
+ # [cache_key=<key>] - See cache_key in PAM for explanation.
+ # [quota_template=<template>] - %q expands to Maildir++ quota
+ # (eg. quota_template=quota_rule=*:backend=%q)
+ #args =
+#}
+
+##
+## User databases
+##
+
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static".
+#
+# <doc/wiki/UserDatabase.txt>
+#
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# This can be made to work with SQL and LDAP databases, see their example
+# configuration files for more information how to do it.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb prefetch {
+#}
+
+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
+# <doc/wiki/AuthDatabase.Passwd.txt>
+userdb passwd {
+ # [blocking=yes] - By default the lookups are done in the main dovecot-auth
+ # process. This setting causes the lookups to be done in auth worker
+ # proceses. Useful with remote NSS lookups that may block.
+ # NOTE: Be sure to use this setting with nss_ldap or users might get
+ # logged in as each others!
+ #args =
+}
+
+# passwd-like file with specified location
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+#userdb passwd-file {
+ # [username_format=<format>] <Path for passwd-file>
+ #args =
+#}
+
+# checkpassword executable user database lookup
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+#userdb checkpassword {
+ # Path for checkpassword binary
+ #args =
+#}
+
+# static settings generated from template <doc/wiki/UserDatabase.Static.txt>
+#userdb static {
+ # Template for the fields. Can return anything a userdb could normally
+ # return. For example:
#
- # User database specifies where mails are located and what user/group IDs
- # own them. For single-UID configuration use "static".
+ # args = uid=500 gid=500 home=/var/mail/%u
#
- # <doc/wiki/UserDatabase.txt>
+ # If you use deliver, it needs to look up users only from the userdb. This
+ # of course doesn't work with static because there is no list of users.
+ # Normally static userdb handles this by doing a passdb lookup. This works
+ # with most passdbs, with PAM being the most notable exception. If you do
+ # the user verification another way, you can add allow_all_users=yes to
+ # the args in which case the passdb lookup is skipped.
#
+ #args =
+#}
- # "prefetch" user database means that the passdb already provided the
- # needed information and there's no need to do a separate userdb lookup.
- # This can be made to work with SQL and LDAP databases, see their example
- # configuration files for more information how to do it.
- # <doc/wiki/UserDatabase.Prefetch.txt>
- #userdb prefetch {
- #}
-
- # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
- # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
- # <doc/wiki/AuthDatabase.Passwd.txt>
- userdb passwd {
- # [blocking=yes] - By default the lookups are done in the main dovecot-auth
- # process. This setting causes the lookups to be done in auth worker
- # proceses. Useful with remote NSS lookups that may block.
- # NOTE: Be sure to use this setting with nss_ldap or users might get
- # logged in as each others!
- #args =
- }
-
- # passwd-like file with specified location
- # <doc/wiki/AuthDatabase.PasswdFile.txt>
- #userdb passwd-file {
- # [username_format=<format>] <Path for passwd-file>
- #args =
- #}
-
- # checkpassword executable user database lookup
- # <doc/wiki/AuthDatabase.CheckPassword.txt>
- #userdb checkpassword {
- # Path for checkpassword binary
- #args =
- #}
-
- # static settings generated from template <doc/wiki/UserDatabase.Static.txt>
- #userdb static {
- # Template for the fields. Can return anything a userdb could normally
- # return. For example:
- #
- # args = uid=500 gid=500 home=/var/mail/%u
- #
- # If you use deliver, it needs to look up users only from the userdb. This
- # of course doesn't work with static because there is no list of users.
- # Normally static userdb handles this by doing a passdb lookup. This works
- # with most passdbs, with PAM being the most notable exception. If you do
- # the user verification another way, you can add allow_all_users=yes to
- # the args in which case the passdb lookup is skipped.
- #
- #args =
- #}
-
- # SQL database <doc/wiki/AuthDatabase.SQL.txt>
- #userdb sql {
- # Path for SQL configuration file, see doc/dovecot-sql-example.conf
- #args =
- #}
-
- # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
- #userdb ldap {
- # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
- #args =
- #}
-
- # vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
- #userdb vpopmail {
- #}
-
- # Require a valid SSL client certificate or the authentication fails.
- #auth_ssl_require_client_cert = no
-
- # Take the username from client's SSL certificate, using
- # X509_NAME_get_text_by_NID() which returns the subject's DN's
- # CommonName.
- #auth_ssl_username_from_cert = no
-}
+# SQL database <doc/wiki/AuthDatabase.SQL.txt>
+#userdb sql {
+ # Path for SQL configuration file, see doc/dovecot-sql-example.conf
+ #args =
+#}
+
+# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
+#userdb ldap {
+ # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
+ #args =
+#}
-# If you wish to use another authentication server than dovecot-auth, you can
-# use connect sockets. They are assumed to be already running, Dovecot's master
-# process only tries to connect to them. They don't need any other settings
-# than the path for the master socket, as the configuration is done elsewhere.
-# Note that the client sockets must exist in the login_dir.
-#auth external {
-# socket connect {
-# master {
-# path = /var/run/dovecot/auth-master
-# }
-# }
+# vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
+#userdb vpopmail {
#}
{ SET_DEFLIST, name, offsetof(struct auth_settings, field), defines }
static struct setting_define auth_setting_defines[] = {
- { SET_STR, "name", offsetof(struct auth_settings, name), NULL },
DEF(SET_STR, mechanisms),
DEF(SET_STR, realms),
DEF(SET_STR, default_realm),
};
static struct auth_settings auth_default_settings = {
- MEMBER(name) NULL,
- MEMBER(root) NULL,
-
MEMBER(mechanisms) "plain",
MEMBER(realms) "",
MEMBER(default_realm) "",
MEMBER(defines) auth_setting_defines,
MEMBER(defaults) &auth_default_settings,
- MEMBER(parent) &auth_root_setting_parser_info,
- MEMBER(dynamic_parsers) NULL,
-
- MEMBER(parent_offset) offsetof(struct auth_settings, root),
- MEMBER(type_offset) offsetof(struct auth_settings, name),
- MEMBER(struct_size) sizeof(struct auth_settings),
- MEMBER(check_func) auth_settings_check
-};
-
-#undef DEF
-#undef DEFLIST
-#define DEF(type, name) \
- { type, #name, offsetof(struct auth_root_settings, name), NULL }
-#define DEFLIST(field, name, defines) \
- { SET_DEFLIST, name, offsetof(struct auth_root_settings, field), defines }
-
-static struct setting_define auth_root_setting_defines[] = {
- DEFLIST(auths, "auth", &auth_setting_parser_info),
-
- SETTING_DEFINE_LIST_END
-};
-
-static struct auth_root_settings auth_root_default_settings = {
- MEMBER(auths) ARRAY_INIT
-};
-
-struct setting_parser_info auth_root_setting_parser_info = {
- MEMBER(defines) auth_root_setting_defines,
- MEMBER(defaults) &auth_root_default_settings,
-
MEMBER(parent) NULL,
MEMBER(dynamic_parsers) NULL,
MEMBER(parent_offset) (size_t)-1,
MEMBER(type_offset) (size_t)-1,
- MEMBER(struct_size) sizeof(struct auth_root_settings)
+ MEMBER(struct_size) sizeof(struct auth_settings),
+ MEMBER(check_func) auth_settings_check
};
/* <settings checks> */
static bool auth_settings_check(void *_set, pool_t pool ATTR_UNUSED,
- const char **error_r)
+ const char **error_r ATTR_UNUSED)
{
struct auth_settings *set = _set;
set->debug = TRUE;
if (set->debug)
set->verbose = TRUE;
-
- if (set->name == NULL) {
- *error_r = "auth section is missing name";
- return FALSE;
- }
return TRUE;
}
/* </settings checks> */
struct auth_settings *
-auth_settings_read(struct master_service *service, const char *name)
+auth_settings_read(struct master_service *service)
{
static const struct setting_parser_info *set_roots[] = {
- &auth_root_setting_parser_info,
+ &auth_setting_parser_info,
NULL
};
const char *error;
void **sets;
- struct auth_settings *const *auths;
- struct auth_root_settings *set;
- unsigned int i, count;
if (master_service_settings_read_simple(service, set_roots, &error) < 0)
i_fatal("Error reading configuration: %s", error);
sets = master_service_settings_get_others(service);
- set = sets[0];
-
- if (array_is_created(&set->auths)) {
- auths = array_get(&set->auths, &count);
- for (i = 0; i < count; i++) {
- if (strcmp(auths[i]->name, name) == 0)
- return auths[i];
- }
- }
- i_fatal("Error reading configuration: No auth section: %s", name);
+ return sets[0];
}
enum settings_parser_flags parser_flags =
SETTINGS_PARSER_FLAG_IGNORE_UNKNOWN_KEYS;
struct input_stack root;
- ARRAY_TYPE(const_string) auth_defaults;
struct config_setting_parser_list *const *parsers;
struct parser_context ctx;
unsigned int pathlen = 0;
- unsigned int i, count, counter = 0, auth_counter = 0, cur_counter;
- const char *errormsg, *key, *value, *section, *p;
+ unsigned int i, count, counter = 0, cur_counter;
+ const char *errormsg, *key, *value, *section;
string_t *str, *full_line;
enum config_line_type type;
char *line;
parser_flags);
}
- t_array_init(&auth_defaults, 32);
t_array_init(&ctx.cur_parsers, 128);
p_array_init(&ctx.all_parsers, ctx.pool, 128);
ctx.cur_filter = p_new(ctx.pool, struct config_filter_stack, 1);
config_add_new_parser(&ctx);
parsers = config_update_cur_parsers(&ctx);
- (void)config_apply_line(parsers, "0", "auth=0", NULL, &errormsg);
- i_assert(errormsg == NULL);
- (void)config_apply_line(parsers, "name", "auth/0/name=default", NULL, &errormsg);
- i_assert(errormsg == NULL);
-
memset(&root, 0, sizeof(root));
root.path = path;
ctx.cur_input = &root;
/* file reading failed */
break;
}
-
- if (config_apply_line(parsers, key, str_c(str), NULL, &errormsg) < 0 &&
- pathlen == 0 && strncmp(str_c(str), "auth_", 5) == 0) {
- /* get auth_* settings working outside auth
- sections. we'll verify that the setting is
- valid, but delay actually adding it */
- const char *s = t_strdup(str_c(str));
-
- str_truncate(str, 0);
- str_printfa(str, "auth/0/%s=", key);
- if (*value != '<' || !expand_files)
- str_append(str, value);
- else
- str_append_file(str, key, value+1, &errormsg);
-
- if (config_apply_line(parsers, key, str_c(str), NULL, &errormsg) < 0)
- break;
- array_append(&auth_defaults, &s, 1);
- }
+ (void)config_apply_line(parsers, key, str_c(str), NULL, &errormsg);
break;
case CONFIG_LINE_TYPE_SECTION_BEGIN:
config_add_new_filter(&ctx);
str_truncate(str, pathlen);
str_append(str, key);
pathlen = str_len(str);
-
- if (strcmp(key, "auth") == 0) {
- cur_counter = auth_counter++;
- if (cur_counter == 0 && strcmp(section, "default") != 0)
- cur_counter = auth_counter++;
- } else {
- cur_counter = counter++;
- }
+ cur_counter = counter++;
str_append_c(str, '=');
str_printfa(str, "%u", cur_counter);
- if (cur_counter == 0 && strcmp(key, "auth") == 0) {
- /* already added this */
- } else {
- if (config_apply_line(parsers, key, str_c(str), section, &errormsg) < 0)
- break;
- }
+ if (config_apply_line(parsers, key, str_c(str), section, &errormsg) < 0)
+ break;
str_truncate(str, pathlen);
str_append_c(str, SETTINGS_SEPARATOR);
str_printfa(str, "%u", cur_counter);
str_append_c(str, SETTINGS_SEPARATOR);
pathlen = str_len(str);
-
- if (strcmp(key, "auth") == 0) {
- /* add auth default settings */
- const char *const *lines;
- unsigned int i, count;
-
- lines = array_get(&auth_defaults, &count);
- for (i = 0; i < count; i++) {
- str_truncate(str, pathlen);
-
- p = strchr(lines[i], '=');
- str_append(str, lines[i]);
-
- if (config_apply_line(parsers, t_strdup_until(lines[i], p), str_c(str), NULL, &errormsg) < 0)
- i_unreached();
- }
- }
}
break;
case CONFIG_LINE_TYPE_SECTION_END:
projects / thirdparty / dovecot / core.git / commitdiff
