Variable expansion in password field
Simone Lazzaris
s.lazzaris at interactive.eu
Tue Apr 14 15:56:25 EEST 2020
Hi list!
I've recently updated a small dovecot cluster from 2.2.29 to 2.3.10.
I've found an issue with variable expansion. My user/password database is on a
mysql table, with password saved in plain text field.
The cluster receives mail via lmpt and users fetch them via imap. On the
2.2.29 version, no issues.
After the upgrade, I've found some lines in the log:
Apr 14 14:36:05 archive-front1 dovecot: lmtp(19671,
fakeusername at fakedomain.com): Error: lmtp-server: conn 212.183.164.212:34642
[4]: rcpt fakeusername at fakedomain.com: Failed to initialize user: Failed to
expand plugin setting password = 'sd78F6aS9%Lggxf': Unknown variable '%g'
(I've faked /some/ information for obvious reasons, but I've kept the password
after the '%' sign).
Apparently, dovecot 2.3.10 is trying to expand some variables IN the password
field. I'm trying to fool him expanding the '%' into '%%' on the password
query, but without luck... I can also contact the user and make him choose a
different password, without '%'.
Anyway, I feel that this behaviour should be seen as a bug. Am I missing
something?
--
Simone Lazzaris
QCom SpA
More information about the dovecot
mailing list