[Postfixadmin-devel] Dovecot + Postfixadmin + doveadm pw

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I have hacked the pacrypt function in functions.inc.php to support 
"dovecot pw" password verification (quick'n dirty).

I decided to use "dovecot pw -t" to simply the process of verifying a 
given password. My changes also don't break generating of new passwords.

For this, I adapted a forum's post (don't know where I found it, but its 
somehwere in the postfix forum). In this post it was also mentioned that 
it may not work with dovecot versions between 2.0.6 and 2.0.8, I think.

The ugly code is listed below (I have stripped unchanged stuff though).

Do you think there are any security relevant issues which may arise 
because of this hack?

Thanks,
Patrick

(Dovecot version 2.1, Postfixadmin version 2.3.5)

----------
function pacrypt ($pw, $pw_db="")
{
[...]
// dovecot uses salts and has its own method to valid password, so use
// it
if(empty($pw_db)) {
   $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);

   if (!$pipe) {
     die("can't proc_open $dovecotpw");
   } else {
     [...]
     // get rid of "\n"
     $password = substr($password, 0, strlen($password));
     [...]

// if $pw_db is given assume that a password has to be verified, do
// that here
} else {
   // use "doveadm pw" to verify a given password (don't have to deal
   // with salt and stuff
   $pipe = proc_open("$dovecotpw '-s' $method '-t' $pw_db", $spec,
             $pipes);

    if(!$pipe) {
       die("can't proc_open $dovecotpw");
    } else {
       // only one write is needed here
       fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
       fclose($pipes[0]);
    }

    $password = fread($pipes[1], "200");

    // strip the verified suffix (if any, else its garbage)
    $password = substr($password, 0,
       strlen($password) - strlen(" (verified)") - 1);
}

fclose($pipes[1]);
fclose($pipes[2]);
proc_close($pipe);

// Do not strip the method prefix
$password = trim(str_replace('{' . $method . '}', '', $password));
               $passord = trim($password);
}
[...]