Thread: Dovecot-SQL Driver for Password

I was looking around the forums and couldn't find any solution for using other algorithms with the SQL driver, so I decided to write my own modified version of the driver so it can use any algorithm dovecot can.

I haven't tested it extensively, so it may need adjusting but so far it's 100% compatible with CRAM-MD5. The SQL query syntax is the same as the SQL driver, with the exception that in this driver %c and %n have the same value.

All in all this should be a drop in replacement for the SQL driver... Well, that killed 45 minutes, time for coffee.

Important note: DIGEST-MD5 will not work. Also, the query given here is meant for a database setup for use with postfixadmin. Lastly, if SELinux is enabled on your system, this script may not work without additional policies in place.


set driver in (roundcube root)/plugins/password/config.inc.php:

PHP Code:

$rcmail_config['password_driver'] = 'dovecotpw-sql'; 


Add these lines to (roundcube root)/plugins/password/config.inc.php:

PHP Code:

// dovecotpw executable, default '/usr/sbin/dovecotpw'(CentOS)
$rcmail_config['password_dovecotpw'] = '/usr/sbin/dovecotpw';

// dovecotpw algorithm, default 'CRAM-MD5', run 'dovecotpw -l' to list possibilities, DIGEST-MD5 will not work
$rcmail_config['password_dovecotpw_algorithm'] = 'CRAM-MD5';

// PEAR database DSN
$rcmail_config['password_dovecotpw_db_dsn'] = 'mysql://db_user:db_pass@unix(/var/lib/mysql/mysql.sock)/database_name';

// SQL Query see SQL Driver for details about syntax
$rcmail_config['password_dovecotpw_query'] = 'UPDATE mailbox SET password = %c, modified=now() WHERE username = %u LIMIT 1;'; 


Create this file (roundcube root)/plugins/password/drivers/dovecotpw-sql.php

PHP Code:

<?php

/**
 * dovecot-SQL Password Driver
 *
 * Driver for passwords stored in SQL database encrypted using the dovecotpw utility
 *
 * @version 0.1
 * @author Kaz Walker
 * @contributing author Aleksander 'A.L.E.C' Machniak <alec@alec.pl>
 *
 */

function password_save($curpass, $passwd)
{
    $rcmail = rcmail::get_instance();

    if (!($sql = $rcmail->config->get('password_dovecotpw_query')))
       $sql = 'SELECT update_passwd(%c, %u)';

    if ($dsn = $rcmail->config->get('password_dovecotpw_db_dsn')) {
    // #1486067: enable new_link option
    if (is_array($dsn) && empty($dsn['new_link']))
        $dsn['new_link'] = true;
    else if (!is_array($dsn) && !preg_match('/\?new_link=true/', $dsn))
        $dsn .= '?new_link=true';

        $db = new rcube_mdb2($dsn, '', FALSE);
        $db->set_debug((bool)$rcmail->config->get('sql_debug'));
        $db->db_connect('w');
    } else {
        $db = $rcmail->get_dbh();
    }

    if ($err = $db->is_error())
        return PASSWORD_ERROR;

    if (!($pw_algo = $rcmail->config->get('password_dovecotpw_algorithm')))
        $pw_algo = 'CRAM-MD5';

    if (!($dovecotpw = $rcmail->config->get('password_dovecotpw')))
        $dovecotpw = '/usr/sbin/dovecotpw';

    // encrypt password
    if (strpos($sql, '%c') !== FALSE) {
        $enc_passwd = '';
        $safe_passwd = escapeshellarg($passwd);
        $dovotpw_com = "$dovecotpw -p $safe_passwd -s $pw_algo";
        
        if ($pw_algo != null && $safe_passwd != null) { 
            $tmp_passwd = shell_exec($dovotpw_com);
            $tmp_passwd = explode("}", $tmp_passwd);
            $enc_passwd = trim($tmp_passwd[1]);
        } else {
            return PASSWORD_CRYPT_ERROR;
        }

        $sql = str_replace('%c',  $db->quote($enc_passwd, 'text'), $sql);
    }

    if (strpos($sql, '%n') !== FALSE) {
        $safe_passwd = escapeshellarg($passwd);
        $dovotpw_com = "$dovecotpw -p $safe_passwd -s $pw_algo";
        
        if(strpos($sql, '%c') !== FALSE) {
            // Do nothing, $enc_pass is already set correctly
        } else if ($pw_algo != null && $safe_passwd != null) { 
            $enc_passwd = '';
            $tmp_passwd = shell_exec($dovotpw_com);
            $tmp_passwd = explode("}", $tmp_passwd);
            $enc_passwd = trim($tmp_passwd[1]);
        } else {
            return PASSWORD_CRYPT_ERROR;
        }

        $sql = str_replace('%n',  $db->quote($enc_passwd, 'text'), $sql);
    }

    if (strpos($sql, '%q') !== FALSE) {
        $enc_curpass = '';
        $safe_curpass = escapeshellarg($curpass);
        $dovotpw_com = "$dovecotpw -p $safe_curpass -s $pw_algo";
        
        if ($pw_algo != null && $safe_curpass != null) { 
            $tmp_curpass = shell_exec($dovotpw_com);
            $tmp_curpass = explode("}", $tmp_curpass);
            $enc_curpass = trim($tmp_curpass[1]);
        } else {
            return PASSWORD_CRYPT_ERROR;
        }

        $sql = str_replace('%q',  $db->quote($enc_curpass, 'text'), $sql);
    }

    $user_info = explode('@', $_SESSION['username']);
    if (count($user_info) >= 2) {
        $sql = str_replace('%l', $db->quote($user_info[0], 'text'), $sql);
        $sql = str_replace('%d', $db->quote($user_info[1], 'text'), $sql);
    }

    $sql = str_replace('%u', $db->quote($_SESSION['username'],'text'), $sql);
    $sql = str_replace('%h', $db->quote($_SESSION['imap_host'],'text'), $sql);
    $sql = str_replace('%p', $db->quote($passwd,'text'), $sql);
    $sql = str_replace('%o', $db->quote($curpass,'text'), $sql);

    $res = $db->query($sql);

    if (!$db->is_error()) {
    if (strtolower(substr(trim($query),0,6))=='select') {
        if ($result = $db->fetch_array($res))
        return PASSWORD_SUCCESS;
    } else { 
        if ($db->affected_rows($res) == 1)
        return PASSWORD_SUCCESS; // This is the good case: 1 row updated
    }
    }

    return PASSWORD_ERROR;
}

?>