[tpop3d-discuss] Strange problem with mysql authentication.

Leon Botes leon at trusc.net
Thu, 27 Feb 2003 08:54:45 +0200 

Sorry for the extended mail but all info is here.

>>Do you have a suggestion as to how i can get it to accept a user / pass
>>combination
>>if there is no unix user with that username on the unix system.
>>
>>I have found that as soon as the unix user is removed the authentication
>>fails.

>This is a very strange behavior, normally when you use MySQL authentication
>system you do not have to bother if there is the user in the system or not.
>This is the good thinks of this system, it is more secure since the users
>are completely virtual and they can't be used to access the system.
>Which are the entry in the log??

Roberto Braga


Here are the local users on the system:

sentinel# pw show user leon
leon:*:1000:0::0:0:Leon Botes:/home/leon:/bin/sh
sentinel# pw show user test1
test1::1009:1009::0:0:test1:/home/test1:/nonexistent
sentinel# pw show user test2
test2:*:1013:1013::0:0:User &:/home/test2:/bin/sh
sentinel# pw show user test3
pw: no such user `test3'

and for the record the tpop3d.conf:

listen-address: 192.168.254.10
max-children: 20
append-domain: yes
auth-mysql-enable: yes
auth-mysql-mail-group: mail
auth-mysql-hostname: localhost
auth-mysql-database: exim
auth-mysql-username: root
auth-mysql-password:
auth-mysql-pass-query: SELECT CONCAT('/var/mail/', '$(local_part)'),
CONCAT('{plaintext}', passwd), user, mbox_type FROM locals WHERE user
='$(local_part)'  AND app_dom = '$(domain)'

The daemon starts successfully as can be seen:

TCP Wrappers support enabled, using daemon name `tpop3d'
listening on address 192.168.254.10, port 110, domain trusc.office
1 authentication drivers successfully loaded
net_loop: tpop3d version 1.4.2 successfully started

The database has fields with the following:
field:	user		passwd	mbox_type	app_dom
		test1		test1pass	bsd		trusc.office
		test2		test2pass	bsd		trusc.office
		test3		test3pass	bsd		trusc.office
		leon		leonpass	bsd		trusc.office

Here is the telnet sessions with the tpop3d debug info:

sentinel# telnet sentinel 110
Trying 192.168.254.10...
Connected to sentinel.trusc.office.
Escape character is '^]'.
+OK <3f5c6574f36a8a569a669ea69138f74c@trusc.office>
user test1
+OK Tell me your password.
pass test1pass
+OK Welcome aboard! You have exactly one message.

connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `+OK
<3f5c6574f36a8a569a669ea69138f74c@trusc.office>'
listeners_post_select: client [6]192.168.254.10/trusc.office: connected
connection_parsecommand: client [6]192.168.254.10/trusc.office: received
`user test1'
connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `+OK
Tell me your password.'
connection_parsecommand: client [6]192.168.254.10/trusc.office: received
`pass [...]'
auth_mysql_new_user_pass: SQL query: SELECT CONCAT('/var/mail/', 'test1'),
CONCAT('{plaintext}', passwd), user, mbox_type FROM locals WHERE us
er ='test1'  AND app_dom = 'trusc.office'
authcontext_new_user_pass: began session for `test1' with mysql; uid 1009,
gid 6
fork_child: [6]test1(192.168.254.10): successfully authenticated with mysql
fork_child: new child is PID 29477
mailspool_new_from_file: indexed mailspool /var/mail/test1 (395 bytes) in
0.000s
connection_sendresponse: client [6]test1(192.168.254.10): sent `+OK Welcome
aboard! You have exactly one message.'

That one works fine as do test2 and leon.
However they are also all local users on the system.

Now the same for test3:

sentinel# telnet sentinel 110
Trying 192.168.254.10...
Connected to sentinel.trusc.office.
Escape character is '^]'.
+OK <d8cc70e98ecad7fb6b7bbf3989f90a5b@trusc.office>
user test3
+OK Tell me your password.
pass test3pass
-ERR Lies! Try again!

connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `+OK
<d8cc70e98ecad7fb6b7bbf3989f90a5b@trusc.office>'
listeners_post_select: client [6]192.168.254.10/trusc.office: connected
connection_parsecommand: client [6]192.168.254.10/trusc.office: received
`user test3'
connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `+OK
Tell me your password.'
connection_parsecommand: client [6]192.168.254.10/trusc.office: received
`pass [...]'
auth_mysql_new_user_pass: SQL query: SELECT CONCAT('/var/mail/', 'test3'),
CONCAT('{plaintext}', passwd), user, mbox_type FROM locals WHERE us
er ='test3'  AND app_dom = 'trusc.office'
auth_mysql_new_user_pass: unix user `bsd' for [test3; test3@trusc.office]
does not make sense
connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `-ERR
Lies! Try again!'
connection_do: client `[6]192.168.254.10/trusc.office': username `test3': 1
authentication failures
connection_sendresponse: client [6]192.168.254.10/trusc.office: sent `-ERR
You can hang around all day if you like. I have better things to do.'

My understanding of tpop3d with mysql is that it essentially looks up the
username in the database and matches against the database password
irrespective of whether the user is local or not.

What does not make sense is this:
on successfull login;
authcontext_new_user_pass: began session for `test1' with mysql; uid 1009,
gid 6
i can imagine that uid and gid are needed for access to the mailbox.
on unsuccessfull login;
auth_mysql_new_user_pass: unix user `bsd' for [test3; test3@trusc.office]
does not make sense
then where would tpop3d get the uid and gid for the user if not from the
unix password file?

Thanks in advance for all your opinions.