From 9622f28e255a101ee7239e3ffd42d8d80637654a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed, 27 Jan 2021 05:49:34 -0500
Subject: [PATCH] skip counting failed login attempts from dovecot

Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
---
 usr/lib/security-misc/pam_tally2_not_if_x  | 38 ++++++++++++++++++++++
 usr/share/pam-configs/tally2-security-misc |  2 +-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100755 usr/lib/security-misc/pam_tally2_not_if_x

diff --git a/usr/lib/security-misc/pam_tally2_not_if_x b/usr/lib/security-misc/pam_tally2_not_if_x
new file mode 100755
index 0000000..88e56f3
--- /dev/null
+++ b/usr/lib/security-misc/pam_tally2_not_if_x
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
+
+set -x
+
+true "PAM_SERVICE: $PAM_SERVICE"
+
+## PAM configuration notes
+##
+## success=$num
+## "will specify how many rules to skip when successful."
+## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
+##
+## ignore
+## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains."
+## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
+
+## - Failed dovecot logins should not result in account getting locked.
+## - Failed SSH public key authentication attempts do not increase pam_tally2
+##   counter for some reason.
+## This list can later be extended as needed.
+pam_service_exclusion_list="dovecot"
+
+for pam_service_exclusion_item in $pam_service_exclusion_list ; do
+   if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
+      ## exit success so [success=1 default=ignore] will result in skipping the
+      ## next PAM module (the pam_tally2 module).
+      exit 0
+   fi
+done
+
+## exit failure so [success=1 default=ignore] will result in running the
+## next PAM module (the pam_tally2 module).
+exit 1
diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc
index 6d8dd7e..0b23744 100644
--- a/usr/share/pam-configs/tally2-security-misc
+++ b/usr/share/pam-configs/tally2-security-misc
@@ -4,7 +4,7 @@ Priority: 290
 Auth-Type: Primary
 Auth:
 	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
-	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_only_if_login
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
 	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
 Account-Type: Primary
 Account: