dovecot: If proxy fails to log in to the backend server, forward...

dovecot at dovecot.org dovecot at dovecot.org
Wed Feb 6 19:02:33 EET 2008 

details:   http://hg.dovecot.org/dovecot/rev/56f8ac7a3a77
changeset: 7216:56f8ac7a3a77
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Feb 06 19:02:25 2008 +0200
description:
If proxy fails to log in to the backend server, forward the error message
instead of always replying with a generic "Authentication failed", which
could hide temporary failure and "too many connections" errors. However if
the backend isn't Dovecot, this could allow an attacker to find out what
users exist on the system.

diffstat:

2 files changed, 20 insertions(+), 8 deletions(-)
src/imap-login/imap-proxy.c |   18 ++++++++++++++----
src/pop3-login/pop3-proxy.c |   10 ++++++----

diffs (48 lines):

diff -r 492c5dfc5fd8 -r 56f8ac7a3a77 src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c	Tue Feb 05 00:20:51 2008 +0200
+++ b/src/imap-login/imap-proxy.c	Wed Feb 06 19:02:25 2008 +0200
@@ -66,10 +66,20 @@ static int proxy_input_line(struct imap_
 		client_destroy(client, msg);
 		return -1;
 	} else if (strncmp(line, "P ", 2) == 0) {
-		/* Login failed. Send our own failure reply so client can't
-		   figure out if user exists or not just by looking at the
-		   reply string. */
-		client_send_tagline(client, "NO "AUTH_FAILED_MSG);
+		/* If the backend server isn't Dovecot, the error message may
+		   be different from Dovecot's "user doesn't exist" error. This
+		   would allow an attacker to find out what users exist in the
+		   system.
+
+		   The optimal way to handle this would be to replace the
+		   backend's "password failed" error message with Dovecot's
+		   AUTH_FAILED_MSG, but this would require a new setting and
+		   the sysadmin to actually bother setting it properly.
+
+		   So for now we'll just forward the error message. This
+		   shouldn't be a real problem since of course everyone will
+		   be using only Dovecot as their backend :) */
+		client_send_tagline(client, line + 2);
 
 		/* allow client input again */
 		i_assert(client->io == NULL);
diff -r 492c5dfc5fd8 -r 56f8ac7a3a77 src/pop3-login/pop3-proxy.c
--- a/src/pop3-login/pop3-proxy.c	Tue Feb 05 00:20:51 2008 +0200
+++ b/src/pop3-login/pop3-proxy.c	Wed Feb 06 19:02:25 2008 +0200
@@ -118,10 +118,12 @@ static void proxy_input(struct istream *
 		return;
 	}
 
-	/* Login failed. Send our own failure reply so client can't
-	   figure out if user exists or not just by looking at the
-	   reply string. */
-	client_send_line(client, "-ERR "AUTH_FAILED_MSG);
+	/* Login failed. Pass through the error message to client
+	   (see imap-proxy code for potential problems with this) */
+	if (strncmp(line, "-ERR ", 5) != 0)
+		client_send_line(client, "-ERR "AUTH_FAILED_MSG);
+	else
+		client_send_line(client, line);
 
 	/* allow client input again */
 	i_assert(client->io == NULL);

More information about the dovecot-cvs mailing list