Variable expansion in password field (again?!)
Hi list,
I’m experimenting with the mail-crypt-plugin in Dovecot v2.3.4.1 on Debian 10 Buster. I’m also running a OpenLDAP-Server for user lookup.
My LDAP-settings looks like this:
hosts = ###
dn = cn=###,dc=###,dc=##
dnpass = ###
tls = yes
auth_bind = no
ldap_version = 3
base = ou=people,dc=###,dc=##
scope = subtree
user_attrs =
=quota_rule=*:bytes=%{ldap:mailQuota},
=home=/var/vmail/mailboxes/%d/%{ldap:uid},
=mail=maildir:/var/vmail/mailboxes/%d/%{ldap:uid}/mail
user_filter = (&(mail=%u)(objectClass=person)(mailEnabled=TRUE))
pass_attrs = mail=user,userPassword=password,=userdb_mail_crypt_private_password=%w,mailCrypt=userdb_mail_crypt_save_version
pass_filter = (&(mail=%u)(objectClass=person)(mailEnabled=TRUE))
iterate_attrs = mail=user
iterate_filter = (objectClass=person)
default_pass_scheme = SSHA-512
The users can log-in and everything works fine including the mail-crypt-plugin until an user password contains a % I get the following error message (example):
Error: Failed to expand plugin setting mail_crypt_private_password = '"1234%Passwort"': Unknown variable '%P‘
I’ve found some mails but I didn’t found a solution. It seems that Dovecot tries to expand some variable in the password:
https://dovecot.org/pipermail/dovecot/2019-July/116338.html https://dovecot.org/pipermail/dovecot/2020-April/118634.html
So this seems to be a bug or something. Is there any new information on this topic or even any solution or workaround?
Thank you very much!
Mathias
On 10. May 2021, at 17.33, Mathias Rabe mathias-rabe@post-x.de wrote:
pass_attrs = mail=user,userPassword=password,=userdb_mail_crypt_private_password=%w,mailCrypt=userdb_mail_crypt_save_version
..
The users can log-in and everything works fine including the mail-crypt-plugin until an user password contains a % I get the following error message (example):
Error: Failed to expand plugin setting mail_crypt_private_password = '"1234%Passwort"': Unknown variable '%P‘
I’ve found some mails but I didn’t found a solution. It seems that Dovecot tries to expand some variable in the password:
https://dovecot.org/pipermail/dovecot/2019-July/116338.html https://dovecot.org/pipermail/dovecot/2020-April/118634.html
So this seems to be a bug or something. Is there any new information on this topic or even any solution or workaround?
It's a long-known issue, tracked internally as DOP-323. It only happens to plugin settings. I'm not sure how easy or difficult it would be to fix, but it might also break some existing systems that rely on the behavior. We have also DOP-329 issue about doing somewhat larger config redesign so that plugin settings become more normal settings. Doing that would also solve this problem as a side effect.
Lots of things to do, but not enough time. Which reminds me: We're now hiring a new Dovecot developer if anyone is interested (it's not publicly posted yet).
On 11/05/2021 12:33 Timo Sirainen timo@sirainen.com wrote:
On 10. May 2021, at 17.33, Mathias Rabe mathias-rabe@post-x.de wrote:
pass_attrs = mail=user,userPassword=password,=userdb_mail_crypt_private_password=%w,mailCrypt=userdb_mail_crypt_save_version
..
The users can log-in and everything works fine including the mail-crypt-plugin until an user password contains a % I get the following error message (example):
Error: Failed to expand plugin setting mail_crypt_private_password = '"1234%Passwort"': Unknown variable '%P‘
I’ve found some mails but I didn’t found a solution. It seems that Dovecot tries to expand some variable in the password:
https://dovecot.org/pipermail/dovecot/2019-July/116338.html https://dovecot.org/pipermail/dovecot/2020-April/118634.html
So this seems to be a bug or something. Is there any new information on this topic or even any solution or workaround?
It's a long-known issue, tracked internally as DOP-323. It only happens to plugin settings. I'm not sure how easy or difficult it would be to fix, but it might also break some existing systems that rely on the behavior. We have also DOP-329 issue about doing somewhat larger config redesign so that plugin settings become more normal settings. Doing that would also solve this problem as a side effect.
Lots of things to do, but not enough time. Which reminds me: We're now hiring a new Dovecot developer if anyone is interested (it's not publicly posted yet).
Luckily there is a simple workaround for this:
mail_crypt_private_password=%{sha256:w}
Aki
participants (3)
-
Aki Tuomi
-
Mathias Rabe
-
Timo Sirainen