Variable expansion in passwords

lukn lukn555 at gmail.com
Thu Jul 16 20:55:39 EEST 2020 

Hello list

A user reports failure to log in after password change. The client side
error message indicates a lost or dropped connection by the server.

A peek into the server logs reveales this:
dovecot: imap(user at example.com)<53267><el0HoZGqHIdb0K2G>: Error: Failed
to expand plugin setting plain_pass = 'asdf%?asdf': Unknown variable '%?'

This looks a lot like a %-variable in the user provided password is
tried to be expanded... Is this a bug or did I misconfigure something?

output of dovecot -n is attached.

regards
lukn
-------------- next part --------------
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 2.6.32-754.29.2.el6.x86_64 x86_64 CentOS release 6.10 (Final) 
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s attrs/local_ip=%{lip}
auth_policy_server_api_header = Authorization: Basic asdfasdfasdf
auth_policy_server_url = http://wforce.example.com:8084/
auth_verbose = yes
auth_verbose_passwords = sha1
default_client_limit = 6000
default_vsz_limit = 2 G
dict {
  acl = mysql:/etc/dovecot/dovecot-dict-shares.conf
  quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf
}
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
listen = *
login_greeting = Fumail Dovecot ready.
mail_max_userip_connections = 100
mail_plugins = " quota notify replication"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  acl = vfile:/etc/dovecot/acls
  acl_shared_dict = proxy::acl
  mail_replica = tcp:replicationpartner:1337
  quota = dict:::proxy::quotadict
  quota_grace = 10%%
  quota_rule = *:storage=10M:messages=1000
  quota_rule2 = Spam:ignore
  quota_rule3 = Trash:storage=+100M
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=75%% quota-warning 75 %u
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = pop3 imap lmtp sieve
service aggregator {
  fifo_listener replication-notify-fifo {
    user = fumail
  }
  unix_listener replication-notify {
    user = fumail
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    group = fumail
    mode = 0660
    user = fumail
  }
  user = root
}
service dict {
  unix_listener dict {
    mode = 0600
    user = fumail
  }
}
service doveadm {
  inet_listener {
    port = 1337
  }
}
service imap-login {
  process_limit = 256
}
service imap {
  client_limit = 1
  process_min_avail = 16
  service_count = 0
  vsz_limit = 2 G
}
service lmtp {
  inet_listener lmtp {
    address = 127.0.0.1
    port = 24
  }
  process_min_avail = 5
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service managesieve {
  vsz_limit = 2 G
}
service pop3 {
  client_limit = 1
  vsz_limit = 2 G
}
service quota-warning {
  executable = script /usr/local/bin/quotawarning.py
  unix_listener quota-warning {
    mode = 0666
    user = fumail
  }
  user = fumail
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl_ca = </etc/pki/tls/certs/adfasdf.crt
ssl_cert = </etc/pki/tls/certs/asdfasdf.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol imap {
  imap_client_workarounds = 
  mail_plugins = " quota notify replication acl imap_acl quota imap_quota"
}
protocol pop3 {
  mail_plugins = " quota notify replication quota"
  pop3_uidl_format = %08Xu%08Xv
}
protocol sieve {
  managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol lmtp {
  deliver_log_format = from=<%f> msgid=%m action=<%$> subject=%s
  mail_plugins = " quota notify replication sieve quota"
  postmaster_address = postmaster at example.com
  quota_full_tempfail = yes
}

More information about the dovecot mailing list