Hey everyone,
Ran into something positively perplexing today. A user came
to me and said that this morning when they checked their
mail, they got about 120 strange new messages. Upon further
inspection, it seems the "new" messages are all addressed to
a certain other different user and are all 3 or 4 months old.
And looking in that other user's /var/mail/(username) mailbox,
I see the same messages that arrived mistakenly. And they're
not in the /var/mail mailbox of the user whose desktop computer
they ended up on. So it would appear that, possibly, when this
user connected to the server, they got someone else's messages!
Messages that, in fact, came from an account they don't even
have the password to!
I'm really curious if anyone has seen something like this
before. We're using dovecot-1.0.beta9, and have been since
mid-June. I've never seen anything happen like this before.
I'm perfectly willing to upgrade to the latest release
candidate, but it's hard for me to "upgrade and see if that
fixes it", because it happens so rarely and it won't be easy to
know empirically. So what I'm really hoping for is confirmation
that this is/was a known problem, if in fact it is.
Of course, I don't know that this is a dovecot bug, but I could
imagine that it might be (maybe a daemon forgets to switch
users after one session is closed and another is opened?), so
I thought I'd ask. I did see what looked like TLS fixes and
login fixes in the changelogs, so it doesn't seem out of the
question that such a bug could've existed.
Some more information:
I checked the user's settings on their desktop computer, where
the unexpected messages appear, and sure enough, there is only
one POP server account configured there, and it has the correct
username. What's more, I asked them what time this happened,
and they said probably at 7:00am or maybe a little earlier.
Looking at my dovecot logs, I see this (where 'theuser' is
the user who received the messages):
Sep 28 06:59:49 myhostname dovecot: pop3-login: Disconnected:
user=<theuser>, method=PLAIN, rip=192.168.1.245, lip=192.168.1.20, TLS
Sep 28 06:59:55 myhostname dovecot: pop3-login: Login: user=<theuser>,
method=PLAIN, rip=192.168.1.245, lip=192.168.1.20, TLS
Sep 28 06:59:55 myhostname dovecot: POP3(theuser): Disconnected: Logged out
top=0/0, retr=0/0, del=0/9, size=130585
So, it would seem that the user did login at the time they
claimed and it was at that time (or close to it) that the weird
messages appeared. Also, I checked the logs for logins from
the person whose messages accidentally got downloaded, and it
doesn't show them logging in until several hours later. Oh, and
there are no log entries for either of the two users in question
before that, at least not for over 12 hours before that.
The user is running Outlook 2003, with POP3 + TLS access to
the mailbox.
My dovecot.conf has nothing fancy in it:
base_dir = /var/run/dovecot/
ssl_cert_file = /etc/mail/certs/server.crt
ssl_key_file = /etc/mail/certs/server.key
protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
login_dir = /var/run/dovecot/login
syslog_facility = local0
first_valid_uid = 100
protocol imap { }
protocol pop3 {
pop3_lock_session = yes
pop3_uidl_format = %08Xv%08Xu
}
auth default {
mechanisms = plain
user = root
passdb shadow { }
userdb passwd { }
}
The accounts are all coming out of LDAP via nsswitch (and this
is all happening on Slackware 10.2), but I'm fairly sure that's
irrelevant since "getent passwd", etc. all show the right stuff.
Thanks for any help anyone can give...
- Logan