Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Tue Oct 11 16:37:56 UTC 2022
Ok, this is something... let me check...
If you're you referring to these pieces of code:
if (path != NULL) {
/* log this as error, since it probably is */
str = t_strdup_printf("%s (%s missing?)", str, path);
e_error(authdb_event(request), "%s", str);
} else if (status == PAM_AUTH_ERR) {
str = t_strconcat(str, " ("AUTH_LOG_MSG_PASSWORD_MISMATCH"?)", NULL);
if (request->set->debug_passwords) {
str = t_strconcat(str, " (given password: ",
request->mech_password,
")", NULL);
}
and:
void auth_request_log_login_failure(struct auth_request *request,
const char *subsystem,
const char *message)
I'm not a programmer, let alone a C guru, but these extracts look like
password failure logging. Are you sure they are recording successful
authentications for the logs?
On 2022-10-11 17:07, Bernardo Reino wrote:
> On Mon, 10 Oct 2022, Serveria Support wrote:
>
>> I checked the source code on Github and discussed this with a C
>> developer. There seem to be too many files... perhaps somebody can
>> guide me where should I look? Aki?
>
> You should search for "given password" in the source.
>
> Hint:
> src/auth/passdb-pam.c, around lines 175-178.
> src/auth/auth-request.c, around lines 2311-2312.
>
> This is with the latest source (2.3.19.1).
>
> Cheers.
>
> PS: But as I noted, nothing prevents $HACKER from bringing their own
> dovecot (BYOD :) with all debugging options enabled, etc. As others
> have noted, if the intruder owns your server, you have lost. Period.
More information about the dovecot
mailing list