dovecot - Oct 2022 - Dovecot mail-crypt webmail can't read encrypted messages

On Mon, 10 Oct 2022, Serveria Support wrote:
> I checked the source code on Github and discussed this with a C developer. 
> There seem to be too many files... perhaps somebody can guide me where
should
> I look? Aki?
You should search for "given password" in the source.

Hint:
src/auth/passdb-pam.c, around lines 175-178.
src/auth/auth-request.c, around lines 2311-2312.

This is with the latest source (2.3.19.1).

Cheers.

PS: But as I noted, nothing prevents $HACKER from bringing their own dovecot 
(BYOD :) with all debugging options enabled, etc. As others have noted, if the 
intruder owns your server, you have lost. Period.

Ok, this is something... let me check...

If you're you referring to these pieces of code:

if (path != NULL) {
			/* log this as error, since it probably is */
			str = t_strdup_printf("%s (%s missing?)", str, path);
			e_error(authdb_event(request), "%s", str);
		} else if (status == PAM_AUTH_ERR) {
			str = t_strconcat(str, "
("AUTH_LOG_MSG_PASSWORD_MISMATCH"?)", NULL);
			if (request->set->debug_passwords) {
				str = t_strconcat(str, " (given password: ",
						  request->mech_password,
						  ")", NULL);
			}

and:

void auth_request_log_login_failure(struct auth_request *request,
				    const char *subsystem,
				    const char *message)

I'm not a programmer, let alone a C guru, but these extracts look like 
password failure logging. Are you sure they are recording successful 
authentications for the logs?


On 2022-10-11 17:07, Bernardo Reino wrote:
> On Mon, 10 Oct 2022, Serveria Support wrote:
> 
>> I checked the source code on Github and discussed this with a C 
>> developer. There seem to be too many files... perhaps somebody can 
>> guide me where should I look? Aki?
> 
> You should search for "given password" in the source.
> 
> Hint:
> src/auth/passdb-pam.c, around lines 175-178.
> src/auth/auth-request.c, around lines 2311-2312.
> 
> This is with the latest source (2.3.19.1).
> 
> Cheers.
> 
> PS: But as I noted, nothing prevents $HACKER from bringing their own
> dovecot (BYOD :) with all debugging options enabled, etc. As others
> have noted, if the intruder owns your server, you have lost. Period.