(07-17-2009 05:02 PM)sulio Wrote: Hi,
new to ispcp, not very good in perl, experienced with dovecot setups though.
My notes:
[quote='sulio' pid='57085' dateline='1247814155']
1. The ispcp-dovecot-mngr script does no check if the user exists in the SQL db at all, and exits with temp error in such a case, while I feel it should exit as if the password is wrong.
To fix it, I added this block:
my $sql = "SELECT count(mail_pass) FROM mail_users WHERE mail_pass != '_no_' AND mail_addr='$username'";
my ($rs, $rows) = doSQL($sql);
if ($rs != 0){
syslog('err', 'Can`t execute sql "%s"! during attempt for %s from %s, protocol %s', $sql, $username, $ip, $server);
exit($tempErr);
}
my $line = @$rows[0];
if ( @$line[0] eq 0 ) {
syslog('err', 'User not found! during attempt for %s from %s, protocol %s', $username, $ip, $server);
exit($Err);
}
just before the block where the password is being checked.
It seems fine to me, only thing is the extra mysql query being done, but since it's only called on logins, it shouldn't be a problem. I'm updating the one in the post.
Opinions ?
(07-17-2009 05:02 PM)sulio Wrote: 2. There is no need of password_query line in the dovecot-sql-xxxx.conf files, as this is used as userdb, so not for any password checks (the query will return wrong password anyways).
Ok, I applied this to my servers and also to the documentation, it makes sense not have this.