external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2026-03-26 19:27:23 +01:00
Code Issues Releases Wiki Activity

replace Dovecot authentication (formerly an sql query) with a call to our management daemon

Browse Source
This commit is contained in:
Joshua Tauberer
2014-11-30 11:59:10 -05:00
parent 7e05d7478f
commit 1f0345fe0e
2 changed files with 93 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
conf/dovecot-checkpassword.py Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/python3
#
# This script implement's Dovecot's checkpassword authentication mechanism:
# http://wiki2.dovecot.org/AuthDatabase/CheckPassword?action=show&redirect=PasswordDatabase%2FCheckPassword
#
# This allows us to perform our own password validation, such as for two-factor authentication,
# which Dovecot does not have any native support for.
#
# We will issue an HTTP request to our management server to perform authentication.
import sys, os, urllib.request, base64, json, traceback
try:
# Read fd 3 which provides the username and password separated
# by NULLs and two other undocumented/empty fields.
creds = b''
while True:
b = os.read(3, 1024)
if len(b) == 0: break
creds += b
email, pw, dummy, dummy = creds.split(b'\x00')
# Call the management server's "/me" method with the
# provided credentials
req = urllib.request.Request('http://127.0.0.1:10222/me')
req.add_header(b'Authorization', b'Basic ' + base64.b64encode(email + b':' + pw))
response = urllib.request.urlopen(req)
# The response is always success and always a JSON object
# indicating the authentication result.
resp = response.read().decode('utf8')
resp = json.loads(resp)
if not isinstance(resp, dict): raise ValueError("Response is not a JSON object.")
except:
# Handle all exceptions. Print what happens (ends up in syslog, thanks
# to dovecot) and return an exit status that indicates temporary failure,
# which is passed on to the authenticating client.
traceback.print_exc()
print(json.dumps(dict(os.environ), indent=2), file=sys.stderr)
sys.exit(111)
if resp.get('status') != 'authorized':
# Indicates login failure.
# (sys.exit should not be inside the try block.)
sys.exit(1)
# Signal ok by executing the indicated process, per the Dovecot
# protocol. (Note that the second parameter is the 0th argument
# to the called process, which is required and is typically the
# file itself.)
os.execl(sys.argv[1], sys.argv[1])