Hey everyone,
Ran into something positively perplexing today. A user came to me and said that this morning when they checked their mail, they got about 120 strange new messages. Upon further inspection, it seems the "new" messages are all addressed to a certain other different user and are all 3 or 4 months old. And looking in that other user's /var/mail/(username) mailbox, I see the same messages that arrived mistakenly. And they're not in the /var/mail mailbox of the user whose desktop computer they ended up on. So it would appear that, possibly, when this user connected to the server, they got someone else's messages! Messages that, in fact, came from an account they don't even have the password to!
I'm really curious if anyone has seen something like this before. We're using dovecot-1.0.beta9, and have been since mid-June. I've never seen anything happen like this before. I'm perfectly willing to upgrade to the latest release candidate, but it's hard for me to "upgrade and see if that fixes it", because it happens so rarely and it won't be easy to know empirically. So what I'm really hoping for is confirmation that this is/was a known problem, if in fact it is.
Of course, I don't know that this is a dovecot bug, but I could imagine that it might be (maybe a daemon forgets to switch users after one session is closed and another is opened?), so I thought I'd ask. I did see what looked like TLS fixes and login fixes in the changelogs, so it doesn't seem out of the question that such a bug could've existed.
Some more information:
I checked the user's settings on their desktop computer, where the unexpected messages appear, and sure enough, there is only one POP server account configured there, and it has the correct username. What's more, I asked them what time this happened, and they said probably at 7:00am or maybe a little earlier. Looking at my dovecot logs, I see this (where 'theuser' is the user who received the messages):
Sep 28 06:59:49 myhostname dovecot: pop3-login: Disconnected: user=<theuser>, method=PLAIN, rip=192.168.1.245, lip=192.168.1.20, TLS
Sep 28 06:59:55 myhostname dovecot: pop3-login: Login: user=<theuser>, method=PLAIN, rip=192.168.1.245, lip=192.168.1.20, TLS
Sep 28 06:59:55 myhostname dovecot: POP3(theuser): Disconnected: Logged out top=0/0, retr=0/0, del=0/9, size=130585So, it would seem that the user did login at the time they claimed and it was at that time (or close to it) that the weird messages appeared. Also, I checked the logs for logins from the person whose messages accidentally got downloaded, and it doesn't show them logging in until several hours later. Oh, and there are no log entries for either of the two users in question before that, at least not for over 12 hours before that.
The user is running Outlook 2003, with POP3 + TLS access to the mailbox.
My dovecot.conf has nothing fancy in it:
base_dir = /var/run/dovecot/
ssl_cert_file = /etc/mail/certs/server.crt
ssl_key_file = /etc/mail/certs/server.key
protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
login_dir = /var/run/dovecot/login
syslog_facility = local0
first_valid_uid = 100
protocol imap { }
protocol pop3 {
pop3_lock_session = yes
pop3_uidl_format = %08Xv%08Xu
}
auth default {
mechanisms = plain
user = root
passdb shadow { }
userdb passwd { }
}The accounts are all coming out of LDAP via nsswitch (and this is all happening on Slackware 10.2), but I'm fairly sure that's irrelevant since "getent passwd", etc. all show the right stuff.
Thanks for any help anyone can give...
- Logan