Serveria Support
2022-Oct-11 20:21 UTC
Dovecot mail-crypt webmail can't read encrypted messages
I'm sorry but I wasn't able to find src/config/all-settings.c file. all-settings.h is there but all-settings.c is missing. I checked on Github (thought maybe some files failed to extract) and it's missing there too. On 2022-10-11 22:15, Bernardo Reino wrote:> Please please stop top-posting. Makes a mess of everything! > > On Tue, 11 Oct 2022, Serveria Support wrote: > >> Ok, this is something... let me check... >> >> If you're you referring to these pieces of code: >> >> [...] >> >> I'm not a programmer, let alone a C guru, but these extracts look like >> password failure logging. Are you sure they are recording successful >> authentications for the logs? > > OK. I thought the code would be the same. I *do* log failed passwords, > so I sort of thought only about that string ("given password: "). > > I enabled debug passwords on my server, to test, so I could see how it > looks like in the log. > > The "keyword" in the code seems to be "hide_pass", so if you search > for that in the code, you find a few instances where passwords are > (selectively) removed/replaced in a given line of text. > > But at this point I think the easiest in this absurd (IMHO) quest of > yours is to patch src/config/all-settings.c, and, around line 4141: > > static bool login_settings_check(void *_set, pool_t pool, > const char **error_r ATTR_UNUSED) > { > struct login_settings *set = _set; > > set->log_format_elements_split > p_strsplit(pool, set->login_log_format_elements, " "); > > /* >>> INSERT HERE */ > set->auth_debug_passwords = FALSE; > /* */ > > if (set->auth_debug_passwords) > set->auth_debug = TRUE; > if (set->auth_debug) > set->auth_verbose = TRUE; > return TRUE; > } > > If I'm right, this will just turn off the flag whenever dovecot checks > the settings, i.e. regardless of what's in the actual dovecot.conf, so > it should do the trick. > > But at this point this feels like a useless homework assignment, so I > think I'll stop (I used to be good with C, now I'm read/only, and my > time is very limited). > > (I do make a mental note of having a statically linked dovecot binary > with forced password debugging. You never know when/where you might > need it ;-) > > Cheers and good luck, > Bernardo > >> On 2022-10-11 17:07, Bernardo Reino wrote: >>> On Mon, 10 Oct 2022, Serveria Support wrote: >>> >>>> I checked the source code on Github and discussed this with a C >>>> developer. There seem to be too many files... perhaps somebody can >>>> guide >>>> me where should I look? Aki? >>> >>> You should search for "given password" in the source. >>> >>> Hint: >>> src/auth/passdb-pam.c, around lines 175-178. >>> src/auth/auth-request.c, around lines 2311-2312. >>> >>> This is with the latest source (2.3.19.1). >>> >>> Cheers. >>> >>> PS: But as I noted, nothing prevents $HACKER from bringing their own >>> dovecot (BYOD :) with all debugging options enabled, etc. As others >>> have noted, if the intruder owns your server, you have lost. Period. >>
Bernardo Reino
2022-Oct-12 05:54 UTC
Dovecot mail-crypt webmail can't read encrypted messages
On Tue, 11 Oct 2022, Serveria Support wrote:> I'm sorry but I wasn't able to find src/config/all-settings.c file. > all-settings.h is there but all-settings.c is missing. I checked on > Github (thought maybe some files failed to extract) and it's missing > there too.When building from git, you need to run ./autogen.sh first. ^^ This is from the instructions in git (INSTALL.md). This generates, among others, the file I mentioned.> On 2022-10-11 22:15, Bernardo Reino wrote: >> Please please stop top-posting. Makes a mess of everything! >> >> On Tue, 11 Oct 2022, Serveria Support wrote: >> >>> Ok, this is something... let me check... >>> >>> If you're you referring to these pieces of code: >>> >>> [...] >>> >>> I'm not a programmer, let alone a C guru, but these extracts >>> look like password failure logging. Are you sure they are >>> recording successful authentications for the logs? >> >> OK. I thought the code would be the same. I *do* log failed >> passwords, >> so I sort of thought only about that string ("given password: "). >> >> I enabled debug passwords on my server, to test, so I could see >> how it >> looks like in the log. >> >> The "keyword" in the code seems to be "hide_pass", so if you >> search >> for that in the code, you find a few instances where passwords >> are >> (selectively) removed/replaced in a given line of text. >> >> But at this point I think the easiest in this absurd (IMHO) quest >> of >> yours is to patch src/config/all-settings.c, and, around line >> 4141: >> >> static bool login_settings_check(void *_set, pool_t pool, >> const char **error_r ATTR_UNUSED) >> { >> struct login_settings *set = _set; >> >> set->log_format_elements_split >> p_strsplit(pool, set->login_log_format_elements, " "); >> >> /* >>> INSERT HERE */ >> set->auth_debug_passwords = FALSE; >> /* */ >> >> if (set->auth_debug_passwords) >> set->auth_debug = TRUE; >> if (set->auth_debug) >> set->auth_verbose = TRUE; >> return TRUE; >> } >> >> If I'm right, this will just turn off the flag whenever dovecot >> checks >> the settings, i.e. regardless of what's in the actual >> dovecot.conf, so >> it should do the trick. >> >> But at this point this feels like a useless homework assignment, >> so I >> think I'll stop (I used to be good with C, now I'm read/only, and >> my >> time is very limited). >> >> (I do make a mental note of having a statically linked dovecot >> binary >> with forced password debugging. You never know when/where you >> might >> need it ;-) >> >> Cheers and good luck, >> Bernardo >> >>> On 2022-10-11 17:07, Bernardo Reino wrote: >>>> On Mon, 10 Oct 2022, Serveria Support wrote: >>>> >>>>> I checked the source code on Github and discussed this with a >>>>> C >>>>> developer. There seem to be too many files... perhaps >>>>> somebody can >>>>> guide >>>>> me where should I look? Aki? >>>> >>>> You should search for "given password" in the source. >>>> >>>> Hint: >>>> src/auth/passdb-pam.c, around lines 175-178. >>>> src/auth/auth-request.c, around lines 2311-2312. >>>> >>>> This is with the latest source (2.3.19.1). >>>> >>>> Cheers. >>>> >>>> PS: But as I noted, nothing prevents $HACKER from bringing >>>> their own >>>> dovecot (BYOD :) with all debugging options enabled, etc. As >>>> others >>>> have noted, if the intruder owns your server, you have lost. >>>> Period. >>> >