[Postfixadmin-devel] Dovecot + Postfixadmin + doveadm pw
Brought to you by:
christian_boltz,
gingerdog
From: Patrick H. <Pat...@gm...> - 2012-04-06 15:24:57
|
Hi, I have hacked the pacrypt function in functions.inc.php to support "dovecot pw" password verification (quick'n dirty). I decided to use "dovecot pw -t" to simply the process of verifying a given password. My changes also don't break generating of new passwords. For this, I adapted a forum's post (don't know where I found it, but its somehwere in the postfix forum). In this post it was also mentioned that it may not work with dovecot versions between 2.0.6 and 2.0.8, I think. The ugly code is listed below (I have stripped unchanged stuff though). Do you think there are any security relevant issues which may arise because of this hack? Thanks, Patrick (Dovecot version 2.1, Postfixadmin version 2.3.5) ---------- function pacrypt ($pw, $pw_db="") { [...] // dovecot uses salts and has its own method to valid password, so use // it if(empty($pw_db)) { $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes); if (!$pipe) { die("can't proc_open $dovecotpw"); } else { [...] // get rid of "\n" $password = substr($password, 0, strlen($password)); [...] // if $pw_db is given assume that a password has to be verified, do // that here } else { // use "doveadm pw" to verify a given password (don't have to deal // with salt and stuff $pipe = proc_open("$dovecotpw '-s' $method '-t' $pw_db", $spec, $pipes); if(!$pipe) { die("can't proc_open $dovecotpw"); } else { // only one write is needed here fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000); fclose($pipes[0]); } $password = fread($pipes[1], "200"); // strip the verified suffix (if any, else its garbage) $password = substr($password, 0, strlen($password) - strlen(" (verified)") - 1); } fclose($pipes[1]); fclose($pipes[2]); proc_close($pipe); // Do not strip the method prefix $password = trim(str_replace('{' . $method . '}', '', $password)); $passord = trim($password); } [...] |