Bernardo Reino
2022-Oct-12 05:54 UTC
Dovecot mail-crypt webmail can't read encrypted messages
On Tue, 11 Oct 2022, Serveria Support wrote:> I'm sorry but I wasn't able to find src/config/all-settings.c file. > all-settings.h is there but all-settings.c is missing. I checked on > Github (thought maybe some files failed to extract) and it's missing > there too.When building from git, you need to run ./autogen.sh first. ^^ This is from the instructions in git (INSTALL.md). This generates, among others, the file I mentioned.> On 2022-10-11 22:15, Bernardo Reino wrote: >> Please please stop top-posting. Makes a mess of everything! >> >> On Tue, 11 Oct 2022, Serveria Support wrote: >> >>> Ok, this is something... let me check... >>> >>> If you're you referring to these pieces of code: >>> >>> [...] >>> >>> I'm not a programmer, let alone a C guru, but these extracts >>> look like password failure logging. Are you sure they are >>> recording successful authentications for the logs? >> >> OK. I thought the code would be the same. I *do* log failed >> passwords, >> so I sort of thought only about that string ("given password: "). >> >> I enabled debug passwords on my server, to test, so I could see >> how it >> looks like in the log. >> >> The "keyword" in the code seems to be "hide_pass", so if you >> search >> for that in the code, you find a few instances where passwords >> are >> (selectively) removed/replaced in a given line of text. >> >> But at this point I think the easiest in this absurd (IMHO) quest >> of >> yours is to patch src/config/all-settings.c, and, around line >> 4141: >> >> static bool login_settings_check(void *_set, pool_t pool, >> const char **error_r ATTR_UNUSED) >> { >> struct login_settings *set = _set; >> >> set->log_format_elements_split >> p_strsplit(pool, set->login_log_format_elements, " "); >> >> /* >>> INSERT HERE */ >> set->auth_debug_passwords = FALSE; >> /* */ >> >> if (set->auth_debug_passwords) >> set->auth_debug = TRUE; >> if (set->auth_debug) >> set->auth_verbose = TRUE; >> return TRUE; >> } >> >> If I'm right, this will just turn off the flag whenever dovecot >> checks >> the settings, i.e. regardless of what's in the actual >> dovecot.conf, so >> it should do the trick. >> >> But at this point this feels like a useless homework assignment, >> so I >> think I'll stop (I used to be good with C, now I'm read/only, and >> my >> time is very limited). >> >> (I do make a mental note of having a statically linked dovecot >> binary >> with forced password debugging. You never know when/where you >> might >> need it ;-) >> >> Cheers and good luck, >> Bernardo >> >>> On 2022-10-11 17:07, Bernardo Reino wrote: >>>> On Mon, 10 Oct 2022, Serveria Support wrote: >>>> >>>>> I checked the source code on Github and discussed this with a >>>>> C >>>>> developer. There seem to be too many files... perhaps >>>>> somebody can >>>>> guide >>>>> me where should I look? Aki? >>>> >>>> You should search for "given password" in the source. >>>> >>>> Hint: >>>> src/auth/passdb-pam.c, around lines 175-178. >>>> src/auth/auth-request.c, around lines 2311-2312. >>>> >>>> This is with the latest source (2.3.19.1). >>>> >>>> Cheers. >>>> >>>> PS: But as I noted, nothing prevents $HACKER from bringing >>>> their own >>>> dovecot (BYOD :) with all debugging options enabled, etc. As >>>> others >>>> have noted, if the intruder owns your server, you have lost. >>>> Period. >>> >
Serveria Support
2022-Oct-13 14:05 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Hi, Unfortunately, after running autogen.sh and ./configure the file is still not there. I understand that this is not a Dovecot issue, but perhaps someone can help me with this? On 2022-10-12 08:54, Bernardo Reino wrote:> On Tue, 11 Oct 2022, Serveria Support wrote: > >> I'm sorry but I wasn't able to find src/config/all-settings.c file. >> all-settings.h is there but all-settings.c is missing. I checked on >> Github (thought maybe some files failed to extract) and it's missing >> there too. > > When building from git, you need to run ./autogen.sh first. > ^^ > This is from the instructions in git (INSTALL.md). > > This generates, among others, the file I mentioned. > >> On 2022-10-11 22:15, Bernardo Reino wrote: >>> Please please stop top-posting. Makes a mess of everything! >>> >>> On Tue, 11 Oct 2022, Serveria Support wrote: >>> >>>> Ok, this is something... let me check... >>>> >>>> If you're you referring to these pieces of code: >>>> >>>> [...] >>>> >>>> I'm not a programmer, let alone a C guru, but these extracts >>>> look like password failure logging. Are you sure they are >>>> recording successful authentications for the logs? >>> >>> OK. I thought the code would be the same. I *do* log failed >>> passwords, >>> so I sort of thought only about that string ("given password: "). >>> >>> I enabled debug passwords on my server, to test, so I could see >>> how it >>> looks like in the log. >>> >>> The "keyword" in the code seems to be "hide_pass", so if you >>> search >>> for that in the code, you find a few instances where passwords >>> are >>> (selectively) removed/replaced in a given line of text. >>> >>> But at this point I think the easiest in this absurd (IMHO) quest >>> of >>> yours is to patch src/config/all-settings.c, and, around line >>> 4141: >>> >>> static bool login_settings_check(void *_set, pool_t pool, >>> const char **error_r ATTR_UNUSED) >>> { >>> struct login_settings *set = _set; >>> >>> set->log_format_elements_split >>> p_strsplit(pool, set->login_log_format_elements, " "); >>> >>> /* >>> INSERT HERE */ >>> set->auth_debug_passwords = FALSE; >>> /* */ >>> >>> if (set->auth_debug_passwords) >>> set->auth_debug = TRUE; >>> if (set->auth_debug) >>> set->auth_verbose = TRUE; >>> return TRUE; >>> } >>> >>> If I'm right, this will just turn off the flag whenever dovecot >>> checks >>> the settings, i.e. regardless of what's in the actual >>> dovecot.conf, so >>> it should do the trick. >>> >>> But at this point this feels like a useless homework assignment, >>> so I >>> think I'll stop (I used to be good with C, now I'm read/only, and >>> my >>> time is very limited). >>> >>> (I do make a mental note of having a statically linked dovecot >>> binary >>> with forced password debugging. You never know when/where you >>> might >>> need it ;-) >>> >>> Cheers and good luck, >>> Bernardo >>> >>>> On 2022-10-11 17:07, Bernardo Reino wrote: >>>>> On Mon, 10 Oct 2022, Serveria Support wrote: >>>>> >>>>>> I checked the source code on Github and discussed this with a >>>>>> C >>>>>> developer. There seem to be too many files... perhaps >>>>>> somebody can >>>>>> guide >>>>>> me where should I look? Aki? >>>>> >>>>> You should search for "given password" in the source. >>>>> >>>>> Hint: >>>>> src/auth/passdb-pam.c, around lines 175-178. >>>>> src/auth/auth-request.c, around lines 2311-2312. >>>>> >>>>> This is with the latest source (2.3.19.1). >>>>> >>>>> Cheers. >>>>> >>>>> PS: But as I noted, nothing prevents $HACKER from bringing >>>>> their own >>>>> dovecot (BYOD :) with all debugging options enabled, etc. As >>>>> others >>>>> have noted, if the intruder owns your server, you have lost. >>>>> Period. >>>> >>