7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Show spam aliases #

Browse Source
This commit is contained in:
andryyy
2017-02-21 22:27:11 +01:00
parent 76426b65b2
commit 0eb932b3ab
2737 changed files with 357639 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
data/web/rc/plugins/password/helpers/change_ldap_pass.pl Normal file
View File

@@ -0,0 +1,87 @@
#!/usr/bin/perl
=pod
Script to change the LDAP password using the set_password method
to proper setting the password policy attributes
author: Zbigniew Szmyd (zbigniew.szmyd@linseco.pl)
version 1.0 2016-02-22
=cut
use Net::LDAP;
use Net::LDAP::Extension::SetPassword;
use URI;
use utf8;
binmode(STDOUT, ':utf8');
my %PAR = ();
if (my $param = shift @ARGV){
print "Password change in LDAP\n\n";
print "Run script without any parameter and pass the following data:\n";
print "URI\nbaseDN\nFilter\nbindDN\nbindPW\nLogin\nuserPass\nnewPass\nCAfile\n";
exit;
}
foreach my $param ('uri','base','filter','binddn','bindpw','user','pass','new_pass','ca'){
$PAR{$param} = <>;
$PAR{$param} =~ s/\r|\n//g;
}
my @servers = split (/\s+/, $PAR{'uri'});
my $active_server = 0;
my $ldap;
while ((my $serwer = shift @servers) && !($active_server)) {
my $ldap_uri = URI->new($serwer);
if ($ldap_uri->secure) {
$ldap = Net::LDAP->new($ldap_uri->as_string,
version => 3,
verify => 'require',
sslversion => 'tlsv1',
cafile => $PAR{'ca'});
} else {
$ldap = Net::LDAP->new($ldap_uri->as_string, version => 3);
}
$active_server = 1 if ($ldap);
}
if ($active_server) {
my $mesg = $ldap->bind($PAR{'binddn'}, password => $PAR{'bindpw'});
if ($mesg->code != 0) {
print "Cannot login: ". $mesg->error;
} else {
# Wyszukanie usera wg filtra
$PAR{'filter'} =~ s/\%login/$PAR{'user'}/;
my @search_args = (
base => $PAR{'base'},
scope => 'sub',
filter => $PAR{'filter'},
attrs => ['1.1'],
);
my $result = $ldap->search(@search_args);
if ($result->code) {
print $result->error;
} else {
my $count = $result->count;
if ($count == 1) {
my @users = $result->entries;
my $dn = $users[0]->dn();
$result = $ldap->bind($dn, password => $PAR{'pass'});
if ($result->code){
print $result->error;
} else {
$result = $ldap->set_password(newpasswd => $PAR{'new_pass'});
if ($result->code) {
print $result->error;
} else {
print "OK";
}
}
} else {
print "User not found in LDAP\n" if $count == 0;
print "Found $count users\n";
}
}
}
$ldap->unbind();
} else {
print "Cannot connect to any server";
}

29
data/web/rc/plugins/password/helpers/chgdbmailusers.c Normal file
View File

@@ -0,0 +1,29 @@
#include <stdio.h>
#include <unistd.h>
// set the UID this script will run as (root user)
#define UID 0
#define CMD "/usr/sbin/dbmail-users"
/* INSTALLING:
gcc -o chgdbmailusers chgdbmailusers.c
chown root.apache chgdbmailusers
strip chgdbmailusers
chmod 4550 chgdbmailusers
*/
main(int argc, char *argv[])
{
int rc, cc;
cc = setuid(UID);
rc = execvp(CMD, argv);
if ((rc != 0) || (cc != 0))
{
fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc);
return 1;
}
return 0;
}

29
data/web/rc/plugins/password/helpers/chgsaslpasswd.c Normal file
View File

@@ -0,0 +1,29 @@
#include <stdio.h>
#include <unistd.h>
// set the UID this script will run as (cyrus user)
#define UID 96
// set the path to saslpasswd or saslpasswd2
#define CMD "/usr/sbin/saslpasswd2"
/* INSTALLING:
gcc -o chgsaslpasswd chgsaslpasswd.c
chown cyrus.apache chgsaslpasswd
strip chgsaslpasswd
chmod 4550 chgsaslpasswd
*/
main(int argc, char *argv[])
{
int rc,cc;
cc = setuid(UID);
rc = execvp(CMD, argv);
if ((rc != 0) || (cc != 0))
{
fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc);
return 1;
}
return 0;
}

28
data/web/rc/plugins/password/helpers/chgvirtualminpasswd.c Normal file
View File

@@ -0,0 +1,28 @@
#include <stdio.h>
#include <unistd.h>
// set the UID this script will run as (root user)
#define UID 0
#define CMD "/usr/sbin/virtualmin"
/* INSTALLING:
gcc -o chgvirtualminpasswd chgvirtualminpasswd.c
chown root.apache chgvirtualminpasswd
strip chgvirtualminpasswd
chmod 4550 chgvirtualminpasswd
*/
main(int argc, char *argv[])
{
int rc,cc;
cc = setuid(UID);
rc = execvp(CMD, argv);
if ((rc != 0) || (cc != 0))
{
fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc);
return 1;
}
return 0;
}

32
data/web/rc/plugins/password/helpers/chpass-wrapper.py Normal file
View File

@@ -0,0 +1,32 @@
#!/usr/bin/env python
import sys
import pwd
import subprocess
BLACKLIST = (
# add blacklisted users here
#'user1',
)
try:
username, password = sys.stdin.readline().split(':', 1)
except ValueError, e:
sys.exit('Malformed input')
try:
user = pwd.getpwnam(username)
except KeyError, e:
sys.exit('No such user: %s' % username)
if user.pw_uid < 1000:
sys.exit('Changing the password for user id < 1000 is forbidden')
if username in BLACKLIST:
sys.exit('Changing password for user %s is forbidden (user blacklisted)' %
username)
handle = subprocess.Popen('/usr/sbin/chpasswd', stdin = subprocess.PIPE)
handle.communicate('%s:%s' % (username, password))
sys.exit(handle.returncode)

191
data/web/rc/plugins/password/helpers/dovecot_hmacmd5.php Normal file
View File

@@ -0,0 +1,191 @@
<?php
/**
*
* dovecot_hmacmd5.php V1.01
*
* Generates HMAC-MD5 'contexts' for Dovecot's password files.
*
* (C) 2008 Hajo Noerenberg
*
* http://www.noerenberg.de/hajo/pub/dovecot_hmacmd5.php.txt
*
* Most of the code has been shamelessly stolen from various sources:
*
* (C) Paul Johnston 1999 - 2000 / http://pajhome.org.uk/crypt/md5/
* (C) William K. Cole 2008 / http://www.scconsult.com/bill/crampass.pl
* (C) Borfast 2002 / http://www.zend.com/code/codex.php?ozid=962&single=1
* (C) Thomas Weber / http://pajhome.org.uk/crypt/md5/contrib/md5.java.txt
*
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3.0 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.txt>.
*
*/
/* Convert a 32-bit number to a hex string with ls-byte first
*/
function rhex($n) {
$hex_chr = "0123456789abcdef"; $r = '';
for($j = 0; $j <= 3; $j++)
$r .= $hex_chr[($n >> ($j * 8 + 4)) & 0x0F] . $hex_chr[($n >> ($j * 8)) & 0x0F];
return $r;
}
/* zeroFill() is needed because PHP doesn't have a zero-fill
* right shift operator like JavaScript's >>>
*/
function zeroFill($a, $b) {
$z = hexdec(80000000);
if ($z & $a) {
$a >>= 1;
$a &= (~$z);
$a |= 0x40000000;
$a >>= ($b-1);
} else {
$a >>= $b;
}
return $a;
}
/* Bitwise rotate a 32-bit number to the left
*/
function bit_rol($num, $cnt) {
return ($num << $cnt) | (zeroFill($num, (32 - $cnt)));
}
/* Add integers, wrapping at 2^32
*/
function safe_add($x, $y) {
return (($x&0x7FFFFFFF) + ($y&0x7FFFFFFF)) ^ ($x&0x80000000) ^ ($y&0x80000000);
}
/* These functions implement the four basic operations the algorithm uses.
*/
function md5_cmn($q, $a, $b, $x, $s, $t) {
return safe_add(bit_rol(safe_add(safe_add($a, $q), safe_add($x, $t)), $s), $b);
}
function md5_ff($a, $b, $c, $d, $x, $s, $t) {
return md5_cmn(($b & $c) | ((~$b) & $d), $a, $b, $x, $s, $t);
}
function md5_gg($a, $b, $c, $d, $x, $s, $t) {
return md5_cmn(($b & $d) | ($c & (~$d)), $a, $b, $x, $s, $t);
}
function md5_hh($a, $b, $c, $d, $x, $s, $t) {
return md5_cmn($b ^ $c ^ $d, $a, $b, $x, $s, $t);
}
function md5_ii($a, $b, $c, $d, $x, $s, $t) {
return md5_cmn($c ^ ($b | (~$d)), $a, $b, $x, $s, $t);
}
/* Calculate the first round of the MD5 algorithm
*/
function md5_oneround($s, $io) {
$s = str_pad($s, 64, chr(0x00));
$x = array_fill(0, 16, 0);
for($i = 0; $i < 64; $i++)
$x[$i >> 2] |= (($io ? 0x36 : 0x5c) ^ ord($s[$i])) << (($i % 4) * 8);
$a = $olda = 1732584193;
$b = $oldb = -271733879;
$c = $oldc = -1732584194;
$d = $oldd = 271733878;
$a = md5_ff($a, $b, $c, $d, $x[ 0], 7 , -680876936);
$d = md5_ff($d, $a, $b, $c, $x[ 1], 12, -389564586);
$c = md5_ff($c, $d, $a, $b, $x[ 2], 17, 606105819);
$b = md5_ff($b, $c, $d, $a, $x[ 3], 22, -1044525330);
$a = md5_ff($a, $b, $c, $d, $x[ 4], 7 , -176418897);
$d = md5_ff($d, $a, $b, $c, $x[ 5], 12, 1200080426);
$c = md5_ff($c, $d, $a, $b, $x[ 6], 17, -1473231341);
$b = md5_ff($b, $c, $d, $a, $x[ 7], 22, -45705983);
$a = md5_ff($a, $b, $c, $d, $x[ 8], 7 , 1770035416);
$d = md5_ff($d, $a, $b, $c, $x[ 9], 12, -1958414417);
$c = md5_ff($c, $d, $a, $b, $x[10], 17, -42063);
$b = md5_ff($b, $c, $d, $a, $x[11], 22, -1990404162);
$a = md5_ff($a, $b, $c, $d, $x[12], 7 , 1804603682);
$d = md5_ff($d, $a, $b, $c, $x[13], 12, -40341101);
$c = md5_ff($c, $d, $a, $b, $x[14], 17, -1502002290);
$b = md5_ff($b, $c, $d, $a, $x[15], 22, 1236535329);
$a = md5_gg($a, $b, $c, $d, $x[ 1], 5 , -165796510);
$d = md5_gg($d, $a, $b, $c, $x[ 6], 9 , -1069501632);
$c = md5_gg($c, $d, $a, $b, $x[11], 14, 643717713);
$b = md5_gg($b, $c, $d, $a, $x[ 0], 20, -373897302);
$a = md5_gg($a, $b, $c, $d, $x[ 5], 5 , -701558691);
$d = md5_gg($d, $a, $b, $c, $x[10], 9 , 38016083);
$c = md5_gg($c, $d, $a, $b, $x[15], 14, -660478335);
$b = md5_gg($b, $c, $d, $a, $x[ 4], 20, -405537848);
$a = md5_gg($a, $b, $c, $d, $x[ 9], 5 , 568446438);
$d = md5_gg($d, $a, $b, $c, $x[14], 9 , -1019803690);
$c = md5_gg($c, $d, $a, $b, $x[ 3], 14, -187363961);
$b = md5_gg($b, $c, $d, $a, $x[ 8], 20, 1163531501);
$a = md5_gg($a, $b, $c, $d, $x[13], 5 , -1444681467);
$d = md5_gg($d, $a, $b, $c, $x[ 2], 9 , -51403784);
$c = md5_gg($c, $d, $a, $b, $x[ 7], 14, 1735328473);
$b = md5_gg($b, $c, $d, $a, $x[12], 20, -1926607734);
$a = md5_hh($a, $b, $c, $d, $x[ 5], 4 , -378558);
$d = md5_hh($d, $a, $b, $c, $x[ 8], 11, -2022574463);
$c = md5_hh($c, $d, $a, $b, $x[11], 16, 1839030562);
$b = md5_hh($b, $c, $d, $a, $x[14], 23, -35309556);
$a = md5_hh($a, $b, $c, $d, $x[ 1], 4 , -1530992060);
$d = md5_hh($d, $a, $b, $c, $x[ 4], 11, 1272893353);
$c = md5_hh($c, $d, $a, $b, $x[ 7], 16, -155497632);
$b = md5_hh($b, $c, $d, $a, $x[10], 23, -1094730640);
$a = md5_hh($a, $b, $c, $d, $x[13], 4 , 681279174);
$d = md5_hh($d, $a, $b, $c, $x[ 0], 11, -358537222);
$c = md5_hh($c, $d, $a, $b, $x[ 3], 16, -722521979);
$b = md5_hh($b, $c, $d, $a, $x[ 6], 23, 76029189);
$a = md5_hh($a, $b, $c, $d, $x[ 9], 4 , -640364487);
$d = md5_hh($d, $a, $b, $c, $x[12], 11, -421815835);
$c = md5_hh($c, $d, $a, $b, $x[15], 16, 530742520);
$b = md5_hh($b, $c, $d, $a, $x[ 2], 23, -995338651);
$a = md5_ii($a, $b, $c, $d, $x[ 0], 6 , -198630844);
$d = md5_ii($d, $a, $b, $c, $x[ 7], 10, 1126891415);
$c = md5_ii($c, $d, $a, $b, $x[14], 15, -1416354905);
$b = md5_ii($b, $c, $d, $a, $x[ 5], 21, -57434055);
$a = md5_ii($a, $b, $c, $d, $x[12], 6 , 1700485571);
$d = md5_ii($d, $a, $b, $c, $x[ 3], 10, -1894986606);
$c = md5_ii($c, $d, $a, $b, $x[10], 15, -1051523);
$b = md5_ii($b, $c, $d, $a, $x[ 1], 21, -2054922799);
$a = md5_ii($a, $b, $c, $d, $x[ 8], 6 , 1873313359);
$d = md5_ii($d, $a, $b, $c, $x[15], 10, -30611744);
$c = md5_ii($c, $d, $a, $b, $x[ 6], 15, -1560198380);
$b = md5_ii($b, $c, $d, $a, $x[13], 21, 1309151649);
$a = md5_ii($a, $b, $c, $d, $x[ 4], 6 , -145523070);
$d = md5_ii($d, $a, $b, $c, $x[11], 10, -1120210379);
$c = md5_ii($c, $d, $a, $b, $x[ 2], 15, 718787259);
$b = md5_ii($b, $c, $d, $a, $x[ 9], 21, -343485551);
$a = safe_add($a, $olda);
$b = safe_add($b, $oldb);
$c = safe_add($c, $oldc);
$d = safe_add($d, $oldd);
return rhex($a) . rhex($b) . rhex($c) . rhex($d);
}
function dovecot_hmacmd5 ($s) {
if (strlen($s) > 64) $s=pack("H*", md5($s));
return md5_oneround($s, 0) . md5_oneround($s, 1);
}

267
data/web/rc/plugins/password/helpers/passwd-expect Normal file
View File

@@ -0,0 +1,267 @@
#
# This scripts changes a password on the local system or a remote host.
# Connections to the remote (this can also be localhost) are made by ssh, rsh,
# telnet or rlogin.
# @author Gaudenz Steinlin <gaudenz@soziologie.ch>
# For sudo support alter sudoers (using visudo) so that it contains the
# following information (replace 'apache' if your webserver runs under another
# user):
# -----
# # Needed for Horde's passwd module
# Runas_Alias REGULARUSERS = ALL, !root
# apache ALL=(REGULARUSERS) NOPASSWD:/usr/bin/passwd
# -----
# @stdin The username, oldpassword, newpassword (in this order)
# will be taken from stdin
# @param -prompt regexp for the shell prompt
# @param -password regexp password prompt
# @param -oldpassword regexp for the old password
# @param -newpassword regexp for the new password
# @param -verify regexp for verifying the password
# @param -success regexp for success changing the password
# @param -login regexp for the telnet prompt for the loginname
# @param -host hostname to be connected
# @param -timeout timeout for each step
# @param -log file for writing error messages
# @param -output file for loging the output
# @param -telnet use telnet
# @param -ssh use ssh (default)
# @param -rlogin use rlogin
# @param -slogin use slogin
# @param -sudo use sudo
# @param -program command for changing passwords
#
# @return 0 on success, 1 on failure
#
# default values
set host "localhost"
set login "ssh"
set program "passwd"
set prompt_string "(%|\\\$|>)"
set fingerprint_string "The authenticity of host.* can't be established.*\nRSA key fingerprint is.*\nAre you sure you want to continue connecting.*"
set password_string "(P|p)assword.*"
set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*"
set newpassword_string "(N|n)ew.* (P|p)assword.*"
set badoldpassword_string "(Authentication token manipulation error).*"
set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)"
set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*"
set success_string "((P|p)assword.* changed|successfully)"
set login_string "(((L|l)ogin|(U|u)sername).*)"
set timeout 20
set log "/tmp/passwd.out"
set output false
set output_file "/tmp/passwd.log"
# read input from stdin
fconfigure stdin -blocking 1
gets stdin user
gets stdin password(old)
gets stdin password(new)
# alternative: read input from command line
#if {$argc < 3} {
# send_user "Too few arguments: Usage $argv0 username oldpass newpass"
# exit 1
#}
#set user [lindex $argv 0]
#set password(old) [lindex $argv 1]
#set password(new) [lindex $argv 2]
# no output to the user
log_user 0
# read in other options
for {set i 0} {$i<$argc} {incr i} {
set arg [lindex $argv $i]
switch -- $arg "-prompt" {
incr i
set prompt_string [lindex $argv $i]
continue
} "-password" {
incr i
set password_string [lindex $argv $i]
continue
} "-oldpassword" {
incr i
set oldpassword_string [lindex $argv $i]
continue
} "-newpassword" {
incr i
set newpassword_string [lindex $argv $i]
continue
} "-verify" {
incr i
set verify_string [lindex $argv $i]
continue
} "-success" {
incr i
set success_string [lindex $argv $i]
continue
} "-login" {
incr i
set login_string [lindex $argv $i]
continue
} "-host" {
incr i
set host [lindex $argv $i]
continue
} "-timeout" {
incr i
set timeout [lindex $argv $i]
continue
} "-log" {
incr i
set log [lindex $argv $i]
continue
} "-output" {
incr i
set output_file [lindex $argv $i]
set output true
continue
} "-telnet" {
set login "telnet"
continue
} "-ssh" {
set login "ssh"
continue
} "-ssh-exec" {
set login "ssh-exec"
continue
} "-rlogin" {
set login "rlogin"
continue
} "-slogin" {
set login "slogin"
continue
} "-sudo" {
set login "sudo"
continue
} "-program" {
incr i
set program [lindex $argv $i]
continue
}
}
# log session
if {$output} {
log_file $output_file
}
set err [open $log "w" "0600"]
# start remote session
if {[string match $login "rlogin"]} {
set pid [spawn rlogin $host -l $user]
} elseif {[string match $login "slogin"]} {
set pid [spawn slogin $host -l $user]
} elseif {[string match $login "ssh"]} {
set pid [spawn ssh $host -l $user]
} elseif {[string match $login "ssh-exec"]} {
set pid [spawn ssh $host -l $user $program]
} elseif {[string match $login "sudo"]} {
set pid [spawn sudo -u $user $program]
} elseif {[string match $login "telnet"]} {
set pid [spawn telnet $host]
expect -re $login_string {
sleep .5
send "$user\r"
}
} else {
puts $err "Invalid login mode. Valid modes: rlogin, slogin, ssh, telnet, sudo\n"
close $err
exit 1
}
set old_password_notentered true
if {![string match $login "sudo"]} {
# log in
expect {
-re $fingerprint_string {sleep .5
send yes\r
exp_continue}
-re $password_string {sleep .5
send $password(old)\r}
timeout {puts $err "Could not login to system (no password prompt)\n"
close $err
exit 1}
}
# start password changing program
expect {
-re $prompt_string {sleep .5
send $program\r}
# The following is for when passwd is the login shell or ssh-exec is used
-re $oldpassword_string {sleep .5
send $password(old)\r
set old_password_notentered false}
timeout {puts $err "Could not login to system (bad old password?)\n"
close $err
exit 1}
}
}
# send old password
if {$old_password_notentered} {
expect {
-re $oldpassword_string {sleep .5
send $password(old)\r}
timeout {puts $err "Could not start passwd program (no old password prompt)\n"
close $err
exit 1}
}
}
# send new password
expect {
-re $newpassword_string {sleep .5
send $password(new)\r}
-re $badoldpassword_string {puts $err "Old password is incorrect\n"
close $err
exit 1}
timeout {puts "Could not change password (bad old password?)\n"
close $err
exit 1}
}
# send new password again
expect {
-re $badpassword_string {puts $err "$expect_out(0,string)"
close $err
send \003
sleep .5
exit 1}
-re $verify_string {sleep .5
send $password(new)\r}
timeout {puts $err "New password not valid (too short, bad password, too similar, ...)\n"
close $err
send \003
sleep .5
exit 1}
}
# check response
expect {
-re $success_string {sleep .5
send exit\r}
-re $badpassword_string {puts $err "$expect_out(0,string)"
close $err
exit 1}
timeout {puts $err "Could not change password.\n"
close $err
exit 1}
}
# exit succsessfully
expect {
eof {close $err
exit 0}
}
close $err