Mercurial > dovecot > core-2.2

changeset 9846:cf27080f3fcf HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
config: Removed auth sections completely for now. They might come back in some other more generic form.
author Timo Sirainen <tss@iki.fi>
date Mon, 31 Aug 2009 17:21:37 -0400
parents f5dcc960ab7a
children ecb05365f520
files doc/example-config/conf.d/auth.conf src/auth/auth-settings.c src/auth/auth-settings.h src/auth/main.c src/config/config-parser.c
diffstat 5 files changed, 226 insertions(+), 347 deletions(-) [+]
line wrap: on
line diff
--- a/doc/example-config/conf.d/auth.conf	Mon Aug 31 17:19:56 2009 -0400
+++ b/doc/example-config/conf.d/auth.conf	Mon Aug 31 17:21:37 2009 -0400
@@ -76,230 +76,223 @@
 # Number of seconds to delay before replying to failed authentications.
 #auth_failure_delay = 2
 
-auth default {
-  # Space separated list of wanted authentication mechanisms:
-  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
-  #   gss-spnego
-  # NOTE: See also disable_plaintext_auth setting.
-  auth_mechanisms = plain
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
 
-  #
-  # Password database is used to verify user's password (and nothing more).
-  # You can have multiple passdbs and userdbs. This is useful if you want to
-  # allow both system users (/etc/passwd) and virtual users to login without
-  # duplicating the system users into virtual database.
-  #
-  # <doc/wiki/PasswordDatabase.txt>
-  #
-  # By adding master=yes setting inside a passdb you make the passdb a list
-  # of "master users", who can log in as anyone else. Unless you're using PAM,
-  # you probably still want the destination user to be looked up from passdb
-  # that it really exists. This can be done by adding pass=yes setting to the
-  # master passdb. <doc/wiki/Authentication.MasterUsers.txt>
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
 
-  # Users can be temporarily disabled by adding a passdb with deny=yes.
-  # If the user is found from that database, authentication will fail.
-  # The deny passdb should always be specified before others, so it gets
-  # checked first. Here's an example:
-
-  #passdb passwd-file {
-    # File contains a list of usernames, one per line
-    #args = /etc/dovecot.deny
-    #deny = yes
-  #}
+##
+## Password databases
+##
 
-  # PAM authentication. Preferred nowadays by most systems. 
-  # Note that PAM can only be used to verify if user's password is correct,
-  # so it can't be used as userdb. If you don't want to use a separate user
-  # database (passwd usually), you can use static userdb.
-  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-  # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-  passdb pam {
-    # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-    # [cache_key=<key>] [<service name>]
-    #
-    # session=yes makes Dovecot open and immediately close PAM session. Some
-    # PAM plugins need this to work, such as pam_mkhomedir.
-    #
-    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
-    # need that. They aren't ever deleted though, so this isn't enabled by
-    # default.
-    #
-    # max_requests specifies how many PAM lookups to do in one process before
-    # recreating the process. The default is 100, because many PAM plugins
-    # leak memory.
-    #
-    # cache_key can be used to enable authentication caching for PAM
-    # (auth_cache_size also needs to be set). It isn't enabled by default
-    # because PAM modules can do all kinds of checks besides checking password,
-    # such as checking IP address. Dovecot can't know about these checks
-    # without some help. cache_key is simply a list of variables (see
-    # doc/wiki/Variables.txt) which must match for the cached data to be used.
-    # Here are some examples:
-    #   %u - Username must match. Probably sufficient for most uses.
-    #   %u%r - Username and remote IP address must match.
-    #   %u%s - Username and service (ie. IMAP, POP3) must match.
-    # 
-    # The service name can contain variables, for example %Ls expands to
-    # pop3 or imap.
-    #
-    # Some examples:
-    #   args = session=yes %Ls
-    #   args = cache_key=%u dovecot
-    #args = dovecot
-  }
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# By adding master=yes setting inside a passdb you make the passdb a list
+# of "master users", who can log in as anyone else. Unless you're using PAM,
+# you probably still want the destination user to be looked up from passdb
+# that it really exists. This can be done by adding pass=yes setting to the
+# master passdb. <doc/wiki/Authentication.MasterUsers.txt>
 
-  # System users (NSS, /etc/passwd, or similiar)
-  # In many systems nowadays this uses Name Service Switch, which is
-  # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-  #passdb passwd {
-    # [blocking=yes] - See userdb passwd for explanation
-    #args = 
-  #}
-
-  # Shadow passwords for system users (NSS, /etc/shadow or similiar).
-  # Deprecated by PAM nowadays.
-  # <doc/wiki/PasswordDatabase.Shadow.txt>
-  #passdb shadow {
-    # [blocking=yes] - See userdb passwd for explanation
-    #args = 
-  #}
-
-  # PAM-like authentication for OpenBSD.
-  # <doc/wiki/PasswordDatabase.BSDAuth.txt>
-  #passdb bsdauth {
-    # [cache_key=<key>] - See cache_key in PAM for explanation.
-    #args =
-  #}
-
-  # passwd-like file with specified location
-  # <doc/wiki/AuthDatabase.PasswdFile.txt>
-  #passdb passwd-file {
-    # [scheme=<default password scheme>] [username_format=<format>]
-    # <Path for passwd-file>
-    #args = 
-  #}
+# Users can be temporarily disabled by adding a passdb with deny=yes.
+# If the user is found from that database, authentication will fail.
+# The deny passdb should always be specified before others, so it gets
+# checked first. Here's an example:
 
-  # checkpassword executable authentication
-  # NOTE: You will probably want to use "userdb prefetch" with this.
-  # <doc/wiki/AuthDatabase.CheckPassword.txt>
-  #passdb checkpassword {
-    # Path for checkpassword binary
-    #args = 
-  #}
-
-  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
-  #passdb sql {
-    # Path for SQL configuration file, see doc/dovecot-sql-example.conf
-    #args = 
-  #}
-
-  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
-  #passdb ldap {
-    # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
-    #args = 
-  #}
-
-  # vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
-  #passdb vpopmail {
-    # [cache_key=<key>] - See cache_key in PAM for explanation.
-    # [quota_template=<template>] - %q expands to Maildir++ quota
-    #   (eg. quota_template=quota_rule=*:backend=%q)
-    #args =
-  #}
-
-  #
-  # User database specifies where mails are located and what user/group IDs
-  # own them. For single-UID configuration use "static".
-  #
-  # <doc/wiki/UserDatabase.txt>
-  #
-
-  # "prefetch" user database means that the passdb already provided the
-  # needed information and there's no need to do a separate userdb lookup.
-  # This can be made to work with SQL and LDAP databases, see their example
-  # configuration files for more information how to do it.
-  # <doc/wiki/UserDatabase.Prefetch.txt>
-  #userdb prefetch {
-  #}
-
-  # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
-  # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  userdb passwd {
-    # [blocking=yes] - By default the lookups are done in the main dovecot-auth
-    # process. This setting causes the lookups to be done in auth worker
-    # proceses. Useful with remote NSS lookups that may block.
-    # NOTE: Be sure to use this setting with nss_ldap or users might get
-    # logged in as each others!
-    #args = 
-  }
+#passdb passwd-file {
+  # File contains a list of usernames, one per line
+  #args = /etc/dovecot.deny
+  #deny = yes
+#}
 
-  # passwd-like file with specified location
-  # <doc/wiki/AuthDatabase.PasswdFile.txt>
-  #userdb passwd-file {
-    # [username_format=<format>] <Path for passwd-file>
-    #args =
-  #}
-
-  # checkpassword executable user database lookup
-  # <doc/wiki/AuthDatabase.CheckPassword.txt>
-  #userdb checkpassword {
-    # Path for checkpassword binary
-    #args = 
-  #}
-
-  # static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-  #userdb static {
-    # Template for the fields. Can return anything a userdb could normally
-    # return. For example:
-    #
-    #  args = uid=500 gid=500 home=/var/mail/%u
-    #
-    # If you use deliver, it needs to look up users only from the userdb. This
-    # of course doesn't work with static because there is no list of users.
-    # Normally static userdb handles this by doing a passdb lookup. This works
-    # with most passdbs, with PAM being the most notable exception. If you do
-    # the user verification another way, you can add allow_all_users=yes to
-    # the args in which case the passdb lookup is skipped.
-    #
-    #args =
-  #}
-
-  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
-  #userdb sql {
-    # Path for SQL configuration file, see doc/dovecot-sql-example.conf
-    #args = 
-  #}
-
-  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
-  #userdb ldap {
-    # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
-    #args = 
-  #}
-
-  # vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
-  #userdb vpopmail {
-  #}
-
-  # Require a valid SSL client certificate or the authentication fails.
-  #auth_ssl_require_client_cert = no
-
-  # Take the username from client's SSL certificate, using 
-  # X509_NAME_get_text_by_NID() which returns the subject's DN's
-  # CommonName. 
-  #auth_ssl_username_from_cert = no
+# PAM authentication. Preferred nowadays by most systems. 
+# Note that PAM can only be used to verify if user's password is correct,
+# so it can't be used as userdb. If you don't want to use a separate user
+# database (passwd usually), you can use static userdb.
+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
+passdb pam {
+  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
+  # [cache_key=<key>] [<service name>]
+  #
+  # session=yes makes Dovecot open and immediately close PAM session. Some
+  # PAM plugins need this to work, such as pam_mkhomedir.
+  #
+  # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
+  # need that. They aren't ever deleted though, so this isn't enabled by
+  # default.
+  #
+  # max_requests specifies how many PAM lookups to do in one process before
+  # recreating the process. The default is 100, because many PAM plugins
+  # leak memory.
+  #
+  # cache_key can be used to enable authentication caching for PAM
+  # (auth_cache_size also needs to be set). It isn't enabled by default
+  # because PAM modules can do all kinds of checks besides checking password,
+  # such as checking IP address. Dovecot can't know about these checks
+  # without some help. cache_key is simply a list of variables (see
+  # doc/wiki/Variables.txt) which must match for the cached data to be used.
+  # Here are some examples:
+  #   %u - Username must match. Probably sufficient for most uses.
+  #   %u%r - Username and remote IP address must match.
+  #   %u%s - Username and service (ie. IMAP, POP3) must match.
+  # 
+  # The service name can contain variables, for example %Ls expands to
+  # pop3 or imap.
+  #
+  # Some examples:
+  #   args = session=yes %Ls
+  #   args = cache_key=%u dovecot
+  #args = dovecot
 }
 
-# If you wish to use another authentication server than dovecot-auth, you can
-# use connect sockets. They are assumed to be already running, Dovecot's master
-# process only tries to connect to them. They don't need any other settings
-# than the path for the master socket, as the configuration is done elsewhere.
-# Note that the client sockets must exist in the login_dir.
-#auth external {
-#  socket connect {
-#    master {
-#      path = /var/run/dovecot/auth-master
-#    }
-#  }
+# System users (NSS, /etc/passwd, or similiar)
+# In many systems nowadays this uses Name Service Switch, which is
+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
+#passdb passwd {
+  # [blocking=yes] - See userdb passwd for explanation
+  #args = 
+#}
+
+# Shadow passwords for system users (NSS, /etc/shadow or similiar).
+# Deprecated by PAM nowadays.
+# <doc/wiki/PasswordDatabase.Shadow.txt>
+#passdb shadow {
+  # [blocking=yes] - See userdb passwd for explanation
+  #args = 
+#}
+
+# PAM-like authentication for OpenBSD.
+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
+#passdb bsdauth {
+  # [cache_key=<key>] - See cache_key in PAM for explanation.
+  #args =
+#}
+
+# passwd-like file with specified location
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+#passdb passwd-file {
+  # [scheme=<default password scheme>] [username_format=<format>]
+  # <Path for passwd-file>
+  #args = 
+#}
+
+# checkpassword executable authentication
+# NOTE: You will probably want to use "userdb prefetch" with this.
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+#passdb checkpassword {
+  # Path for checkpassword binary
+  #args = 
+#}
+
+# SQL database <doc/wiki/AuthDatabase.SQL.txt>
+#passdb sql {
+  # Path for SQL configuration file, see doc/dovecot-sql-example.conf
+  #args = 
+#}
+
+# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
+#passdb ldap {
+  # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
+  #args = 
+#}
+
+# vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
+#passdb vpopmail {
+  # [cache_key=<key>] - See cache_key in PAM for explanation.
+  # [quota_template=<template>] - %q expands to Maildir++ quota
+  #   (eg. quota_template=quota_rule=*:backend=%q)
+  #args =
 #}
+
+##
+## User databases
+##
+
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static".
+#
+# <doc/wiki/UserDatabase.txt>
+#
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# This can be made to work with SQL and LDAP databases, see their example
+# configuration files for more information how to do it.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb prefetch {
+#}
+
+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
+# <doc/wiki/AuthDatabase.Passwd.txt>
+userdb passwd {
+  # [blocking=yes] - By default the lookups are done in the main dovecot-auth
+  # process. This setting causes the lookups to be done in auth worker
+  # proceses. Useful with remote NSS lookups that may block.
+  # NOTE: Be sure to use this setting with nss_ldap or users might get
+  # logged in as each others!
+  #args = 
+}
+
+# passwd-like file with specified location
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+#userdb passwd-file {
+  # [username_format=<format>] <Path for passwd-file>
+  #args =
+#}
+
+# checkpassword executable user database lookup
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+#userdb checkpassword {
+  # Path for checkpassword binary
+  #args = 
+#}
+
+# static settings generated from template <doc/wiki/UserDatabase.Static.txt>
+#userdb static {
+  # Template for the fields. Can return anything a userdb could normally
+  # return. For example:
+  #
+  #  args = uid=500 gid=500 home=/var/mail/%u
+  #
+  # If you use deliver, it needs to look up users only from the userdb. This
+  # of course doesn't work with static because there is no list of users.
+  # Normally static userdb handles this by doing a passdb lookup. This works
+  # with most passdbs, with PAM being the most notable exception. If you do
+  # the user verification another way, you can add allow_all_users=yes to
+  # the args in which case the passdb lookup is skipped.
+  #
+  #args =
+#}
+
+# SQL database <doc/wiki/AuthDatabase.SQL.txt>
+#userdb sql {
+  # Path for SQL configuration file, see doc/dovecot-sql-example.conf
+  #args = 
+#}
+
+# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
+#userdb ldap {
+  # Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
+  #args = 
+#}
+
+# vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
+#userdb vpopmail {
+#}
--- a/src/auth/auth-settings.c	Mon Aug 31 17:19:56 2009 -0400
+++ b/src/auth/auth-settings.c	Mon Aug 31 17:21:37 2009 -0400
@@ -69,7 +69,6 @@
 	{ SET_DEFLIST, name, offsetof(struct auth_settings, field), defines }
 
 static struct setting_define auth_setting_defines[] = {
-	{ SET_STR, "name", offsetof(struct auth_settings, name), NULL },
 	DEF(SET_STR, mechanisms),
 	DEF(SET_STR, realms),
 	DEF(SET_STR, default_realm),
@@ -102,9 +101,6 @@
 };
 
 static struct auth_settings auth_default_settings = {
-	MEMBER(name) NULL,
-	MEMBER(root) NULL,
-
 	MEMBER(mechanisms) "plain",
 	MEMBER(realms) "",
 	MEMBER(default_realm) "",
@@ -138,47 +134,18 @@
 	MEMBER(defines) auth_setting_defines,
 	MEMBER(defaults) &auth_default_settings,
 
-	MEMBER(parent) &auth_root_setting_parser_info,
-	MEMBER(dynamic_parsers) NULL,
-
-	MEMBER(parent_offset) offsetof(struct auth_settings, root),
-	MEMBER(type_offset) offsetof(struct auth_settings, name),
-	MEMBER(struct_size) sizeof(struct auth_settings),
-	MEMBER(check_func) auth_settings_check
-};
-
-#undef DEF
-#undef DEFLIST
-#define DEF(type, name) \
-	{ type, #name, offsetof(struct auth_root_settings, name), NULL }
-#define DEFLIST(field, name, defines) \
-	{ SET_DEFLIST, name, offsetof(struct auth_root_settings, field), defines }
-
-static struct setting_define auth_root_setting_defines[] = {
-	DEFLIST(auths, "auth", &auth_setting_parser_info),
-
-	SETTING_DEFINE_LIST_END
-};
-
-static struct auth_root_settings auth_root_default_settings = {
-	MEMBER(auths) ARRAY_INIT
-};
-
-struct setting_parser_info auth_root_setting_parser_info = {
-	MEMBER(defines) auth_root_setting_defines,
-	MEMBER(defaults) &auth_root_default_settings,
-
 	MEMBER(parent) NULL,
 	MEMBER(dynamic_parsers) NULL,
 
 	MEMBER(parent_offset) (size_t)-1,
 	MEMBER(type_offset) (size_t)-1,
-	MEMBER(struct_size) sizeof(struct auth_root_settings)
+	MEMBER(struct_size) sizeof(struct auth_settings),
+	MEMBER(check_func) auth_settings_check
 };
 
 /* <settings checks> */
 static bool auth_settings_check(void *_set, pool_t pool ATTR_UNUSED,
-				const char **error_r)
+				const char **error_r ATTR_UNUSED)
 {
 	struct auth_settings *set = _set;
 
@@ -186,40 +153,23 @@
 		set->debug = TRUE;
 	if (set->debug)
 		set->verbose = TRUE;
-
-	if (set->name == NULL) {
-		*error_r = "auth section is missing name";
-		return FALSE;
-	}
 	return TRUE;
 }
 /* </settings checks> */
 
 struct auth_settings *
-auth_settings_read(struct master_service *service, const char *name)
+auth_settings_read(struct master_service *service)
 {
 	static const struct setting_parser_info *set_roots[] = {
-		&auth_root_setting_parser_info,
+		&auth_setting_parser_info,
 		NULL
 	};
 	const char *error;
 	void **sets;
-	struct auth_settings *const *auths;
-	struct auth_root_settings *set;
-	unsigned int i, count;
 
 	if (master_service_settings_read_simple(service, set_roots, &error) < 0)
 		i_fatal("Error reading configuration: %s", error);
 
 	sets = master_service_settings_get_others(service);
-	set = sets[0];
-
-	if (array_is_created(&set->auths)) {
-		auths = array_get(&set->auths, &count);
-		for (i = 0; i < count; i++) {
-			if (strcmp(auths[i]->name, name) == 0)
-				return auths[i];
-		}
-	}
-	i_fatal("Error reading configuration: No auth section: %s", name);
+	return sets[0];
 }
--- a/src/auth/auth-settings.h	Mon Aug 31 17:19:56 2009 -0400
+++ b/src/auth/auth-settings.h	Mon Aug 31 17:21:37 2009 -0400
@@ -17,9 +17,6 @@
 };
 
 struct auth_settings {
-	const char *name;
-	struct auth_root_settings *root;
-
 	const char *mechanisms;
 	const char *realms;
 	const char *default_realm;
@@ -47,11 +44,6 @@
 	ARRAY_DEFINE(userdbs, struct auth_userdb_settings *);
 };
 
-struct auth_root_settings {
-	ARRAY_DEFINE(auths, struct auth_settings *);
-};
-
-struct auth_settings *
-auth_settings_read(struct master_service *service, const char *name);
+struct auth_settings *auth_settings_read(struct master_service *service);
 
 #endif
--- a/src/auth/main.c	Mon Aug 31 17:19:56 2009 -0400
+++ b/src/auth/main.c	Mon Aug 31 17:21:37 2009 -0400
@@ -164,7 +164,7 @@
 
 int main(int argc, char *argv[])
 {
-	const char *getopt_str, *auth_name = "default";
+	const char *getopt_str;
 	int c;
 
 	master_service = master_service_init("auth", 0, argc, argv);
@@ -173,9 +173,6 @@
         getopt_str = t_strconcat("w", master_service_getopt_string(), NULL);
 	while ((c = getopt(argc, argv, getopt_str)) > 0) {
 		switch (c) {
-		case 'a':
-			auth_name = optarg;
-			break;
 		case 'w':
 			worker = TRUE;
 			break;
@@ -187,7 +184,7 @@
 		}
 	}
 
-	main_preinit(auth_settings_read(master_service, auth_name));
+	main_preinit(auth_settings_read(master_service));
 
 	master_service_init_finish(master_service);
 	main_init();
--- a/src/config/config-parser.c	Mon Aug 31 17:19:56 2009 -0400
+++ b/src/config/config-parser.c	Mon Aug 31 17:21:37 2009 -0400
@@ -494,12 +494,11 @@
 	enum settings_parser_flags parser_flags =
                 SETTINGS_PARSER_FLAG_IGNORE_UNKNOWN_KEYS;
 	struct input_stack root;
-	ARRAY_TYPE(const_string) auth_defaults;
 	struct config_setting_parser_list *const *parsers;
 	struct parser_context ctx;
 	unsigned int pathlen = 0;
-	unsigned int i, count, counter = 0, auth_counter = 0, cur_counter;
-	const char *errormsg, *key, *value, *section, *p;
+	unsigned int i, count, counter = 0, cur_counter;
+	const char *errormsg, *key, *value, *section;
 	string_t *str, *full_line;
 	enum config_line_type type;
 	char *line;
@@ -526,18 +525,12 @@
 					     parser_flags);
 	}
 
-	t_array_init(&auth_defaults, 32);
 	t_array_init(&ctx.cur_parsers, 128);
 	p_array_init(&ctx.all_parsers, ctx.pool, 128);
 	ctx.cur_filter = p_new(ctx.pool, struct config_filter_stack, 1);
 	config_add_new_parser(&ctx);
 	parsers = config_update_cur_parsers(&ctx);
 
-	(void)config_apply_line(parsers, "0", "auth=0", NULL, &errormsg);
-	i_assert(errormsg == NULL);
-	(void)config_apply_line(parsers, "name", "auth/0/name=default", NULL, &errormsg);
-	i_assert(errormsg == NULL);
-
 	memset(&root, 0, sizeof(root));
 	root.path = path;
 	ctx.cur_input = &root;
@@ -569,25 +562,7 @@
 				/* file reading failed */
 				break;
 			}
-
-			if (config_apply_line(parsers, key, str_c(str), NULL, &errormsg) < 0 &&
-			    pathlen == 0 && strncmp(str_c(str), "auth_", 5) == 0) {
-				/* get auth_* settings working outside auth
-				   sections. we'll verify that the setting is
-				   valid, but delay actually adding it */
-				const char *s = t_strdup(str_c(str));
-
-				str_truncate(str, 0);
-				str_printfa(str, "auth/0/%s=", key);
-				if (*value != '<' || !expand_files)
-					str_append(str, value);
-				else
-					str_append_file(str, key, value+1, &errormsg);
-
-				if (config_apply_line(parsers, key, str_c(str), NULL, &errormsg) < 0)
-					break;
-				array_append(&auth_defaults, &s, 1);
-			}
+			(void)config_apply_line(parsers, key, str_c(str), NULL, &errormsg);
 			break;
 		case CONFIG_LINE_TYPE_SECTION_BEGIN:
 			config_add_new_filter(&ctx);
@@ -613,47 +588,19 @@
 				str_truncate(str, pathlen);
 				str_append(str, key);
 				pathlen = str_len(str);
-
-				if (strcmp(key, "auth") == 0) {
-					cur_counter = auth_counter++;
-					if (cur_counter == 0 && strcmp(section, "default") != 0)
-						cur_counter = auth_counter++;
-				} else {
-					cur_counter = counter++;
-				}
+				cur_counter = counter++;
 
 				str_append_c(str, '=');
 				str_printfa(str, "%u", cur_counter);
 
-				if (cur_counter == 0 && strcmp(key, "auth") == 0) {
-					/* already added this */
-				} else {
-					if (config_apply_line(parsers, key, str_c(str), section, &errormsg) < 0)
-						break;
-				}
+				if (config_apply_line(parsers, key, str_c(str), section, &errormsg) < 0)
+					break;
 
 				str_truncate(str, pathlen);
 				str_append_c(str, SETTINGS_SEPARATOR);
 				str_printfa(str, "%u", cur_counter);
 				str_append_c(str, SETTINGS_SEPARATOR);
 				pathlen = str_len(str);
-
-				if (strcmp(key, "auth") == 0) {
-					/* add auth default settings */
-					const char *const *lines;
-					unsigned int i, count;
-
-					lines = array_get(&auth_defaults, &count);
-					for (i = 0; i < count; i++) {
-						str_truncate(str, pathlen);
-
-						p = strchr(lines[i], '=');
-						str_append(str, lines[i]);
-
-						if (config_apply_line(parsers, t_strdup_until(lines[i], p), str_c(str), NULL, &errormsg) < 0)
-							i_unreached();
-					}
-				}
 			}
 			break;
 		case CONFIG_LINE_TYPE_SECTION_END: