[Dovecot] dovecot-auth: returning incorrect maildir for user (user seeing another user's mail)

Timo Sirainen tss at iki.fi
Thu Dec 20 23:05:57 EET 2007


On Thu, 2007-12-20 at 13:57 -0500, Brendan wrote:
> i had (foolishly, it turns out) configured dovecot-auth to do ldap 
> authentication binding with a prefect userdb (configs at end of 
> message). everything worked fine, although with huge numbers of pop 
> logins per second we started to see some pileup in the pop3-login 
> processes as they were all waiting for ldap responses on the single ldap 
> connection. 

Maybe I should change this so it uses two connections. If you're not
using auth_bind_userdn setting it would do 3 lookups (passdb/dn, bind,
userdb).

> base = uid=%u,o=imap
..
> pass_filter = (&(proto=%s)(remoteip=%r)(localip=%l)(mech=%m)(pid=%p))

Authentication cache uses %variables in pass_filter as the cache key.
The reason why it wasn't working was because %s,%r,%l,%m,%p combination
rarely matched twice. But once in a while it could have matched, causing
Dovecot to return cached values for a wrong user because pass_filter
didn't contain %u.

The problem only happened with users with same password, because the
password was still checked against cached one. Normally someone should
have probably wondered why their login was failing, except Dovecot does
this automatic "if password doesn't match cached one, but last login was
successful, ignore cache and do the passdb lookup".

So the solution is to include base's contents in auth cache key as well.
Fixed: http://hg.dovecot.org/dovecot-1.0/rev/2cedab21cd6d

Hmm. I suppose this could be considered a security hole.. Time for
v1.0.10 then.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20071220/154e73e1/attachment.bin 


More information about the dovecot mailing list