Dovecot mail-crypt webmail can't read encrypted messages

Tue Oct 11 20:21:15 UTC 2022

I'm sorry but I wasn't able to find src/config/all-settings.c file. 
all-settings.h is there but all-settings.c is missing. I checked on 
Github (thought maybe some files failed to extract) and it's missing 
there too.

On 2022-10-11 22:15, Bernardo Reino wrote:
> Please please stop top-posting. Makes a mess of everything!
> 
> On Tue, 11 Oct 2022, Serveria Support wrote:
> 
>> Ok, this is something... let me check...
>> 
>> If you're you referring to these pieces of code:
>> 
>> [...]
>> 
>> I'm not a programmer, let alone a C guru, but these extracts look like 
>> password failure logging. Are you sure they are recording successful 
>> authentications for the logs?
> 
> OK. I thought the code would be the same. I *do* log failed passwords,
> so I sort of thought only about that string ("given password: ").
> 
> I enabled debug passwords on my server, to test, so I could see how it
> looks like in the log.
> 
> The "keyword" in the code seems to be "hide_pass", so if you search
> for that in the code, you find a few instances where passwords are
> (selectively) removed/replaced in a given line of text.
> 
> But at this point I think the easiest in this absurd (IMHO) quest of
> yours is to patch src/config/all-settings.c, and, around line 4141:
> 
> static bool login_settings_check(void *_set, pool_t pool,
> 				 const char **error_r ATTR_UNUSED)
> {
> 	struct login_settings *set = _set;
> 
> 	set->log_format_elements_split =
> 		p_strsplit(pool, set->login_log_format_elements, " ");
> 
> /* >>> INSERT HERE */
> 	set->auth_debug_passwords = FALSE;
> /* */
> 
> 	if (set->auth_debug_passwords)
> 		set->auth_debug = TRUE;
> 	if (set->auth_debug)
> 		set->auth_verbose = TRUE;
> 	return TRUE;
> }
> 
> If I'm right, this will just turn off the flag whenever dovecot checks
> the settings, i.e. regardless of what's in the actual dovecot.conf, so
> it should do the trick.
> 
> But at this point this feels like a useless homework assignment, so I
> think I'll stop (I used to be good with C, now I'm read/only, and my
> time is very limited).
> 
> (I do make a mental note of having a statically linked dovecot binary
> with forced password debugging. You never know when/where you might
> need it ;-)
> 
> Cheers and good luck,
> Bernardo
> 
>> On 2022-10-11 17:07, Bernardo Reino wrote:
>>>  On Mon, 10 Oct 2022, Serveria Support wrote:
>>> 
>>>>  I checked the source code on Github and discussed this with a C
>>>>  developer. There seem to be too many files... perhaps somebody can 
>>>> guide
>>>>  me where should I look? Aki?
>>> 
>>>  You should search for "given password" in the source.
>>> 
>>>  Hint:
>>>  src/auth/passdb-pam.c, around lines 175-178.
>>>  src/auth/auth-request.c, around lines 2311-2312.
>>> 
>>>  This is with the latest source (2.3.19.1).
>>> 
>>>  Cheers.
>>> 
>>>  PS: But as I noted, nothing prevents $HACKER from bringing their own
>>>  dovecot (BYOD :) with all debugging options enabled, etc. As others
>>>  have noted, if the intruder owns your server, you have lost. Period.
>> 