Serveria Support
2022-Oct-11  16:37 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Ok, this is something... let me check...
If you're you referring to these pieces of code:
if (path != NULL) {
			/* log this as error, since it probably is */
			str = t_strdup_printf("%s (%s missing?)", str, path);
			e_error(authdb_event(request), "%s", str);
		} else if (status == PAM_AUTH_ERR) {
			str = t_strconcat(str, "
("AUTH_LOG_MSG_PASSWORD_MISMATCH"?)", NULL);
			if (request->set->debug_passwords) {
				str = t_strconcat(str, " (given password: ",
						  request->mech_password,
						  ")", NULL);
			}
and:
void auth_request_log_login_failure(struct auth_request *request,
				    const char *subsystem,
				    const char *message)
I'm not a programmer, let alone a C guru, but these extracts look like 
password failure logging. Are you sure they are recording successful 
authentications for the logs?
On 2022-10-11 17:07, Bernardo Reino wrote:> On Mon, 10 Oct 2022, Serveria Support wrote:
> 
>> I checked the source code on Github and discussed this with a C 
>> developer. There seem to be too many files... perhaps somebody can 
>> guide me where should I look? Aki?
> 
> You should search for "given password" in the source.
> 
> Hint:
> src/auth/passdb-pam.c, around lines 175-178.
> src/auth/auth-request.c, around lines 2311-2312.
> 
> This is with the latest source (2.3.19.1).
> 
> Cheers.
> 
> PS: But as I noted, nothing prevents $HACKER from bringing their own
> dovecot (BYOD :) with all debugging options enabled, etc. As others
> have noted, if the intruder owns your server, you have lost. Period.
Bernardo Reino
2022-Oct-11  19:15 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Please please stop top-posting. Makes a mess of everything! On Tue, 11 Oct 2022, Serveria Support wrote:> Ok, this is something... let me check... > > If you're you referring to these pieces of code: > > [...] > > I'm not a programmer, let alone a C guru, but these extracts look like > password failure logging. Are you sure they are recording successful > authentications for the logs?OK. I thought the code would be the same. I *do* log failed passwords, so I sort of thought only about that string ("given password: "). I enabled debug passwords on my server, to test, so I could see how it looks like in the log. The "keyword" in the code seems to be "hide_pass", so if you search for that in the code, you find a few instances where passwords are (selectively) removed/replaced in a given line of text. But at this point I think the easiest in this absurd (IMHO) quest of yours is to patch src/config/all-settings.c, and, around line 4141: static bool login_settings_check(void *_set, pool_t pool, const char **error_r ATTR_UNUSED) { struct login_settings *set = _set; set->log_format_elements_split p_strsplit(pool, set->login_log_format_elements, " "); /* >>> INSERT HERE */ set->auth_debug_passwords = FALSE; /* */ if (set->auth_debug_passwords) set->auth_debug = TRUE; if (set->auth_debug) set->auth_verbose = TRUE; return TRUE; } If I'm right, this will just turn off the flag whenever dovecot checks the settings, i.e. regardless of what's in the actual dovecot.conf, so it should do the trick. But at this point this feels like a useless homework assignment, so I think I'll stop (I used to be good with C, now I'm read/only, and my time is very limited). (I do make a mental note of having a statically linked dovecot binary with forced password debugging. You never know when/where you might need it ;-) Cheers and good luck, Bernardo> On 2022-10-11 17:07, Bernardo Reino wrote: >> On Mon, 10 Oct 2022, Serveria Support wrote: >> >>> I checked the source code on Github and discussed this with a C >>> developer. There seem to be too many files... perhaps somebody can guide >>> me where should I look? Aki? >> >> You should search for "given password" in the source. >> >> Hint: >> src/auth/passdb-pam.c, around lines 175-178. >> src/auth/auth-request.c, around lines 2311-2312. >> >> This is with the latest source (2.3.19.1). >> >> Cheers. >> >> PS: But as I noted, nothing prevents $HACKER from bringing their own >> dovecot (BYOD :) with all debugging options enabled, etc. As others >> have noted, if the intruder owns your server, you have lost. Period. >