Dovecot mail-crypt webmail can't read encrypted messages

Wed Oct 12 05:54:52 UTC 2022

On Tue, 11 Oct 2022, Serveria Support wrote:

> I'm sorry but I wasn't able to find src/config/all-settings.c file. 
> all-settings.h is there but all-settings.c is missing. I checked on 
> Github (thought maybe some files failed to extract) and it's missing 
> there too.

When building from git, you need to run ./autogen.sh first.
^^
This is from the instructions in git (INSTALL.md).

This generates, among others, the file I mentioned.

> On 2022-10-11 22:15, Bernardo Reino wrote:
>>  Please please stop top-posting. Makes a mess of everything!
>>
>>  On Tue, 11 Oct 2022, Serveria Support wrote:
>>
>>>  Ok, this is something... let me check...
>>>
>>>  If you're you referring to these pieces of code:
>>>
>>>  [...]
>>>
>>>  I'm not a programmer, let alone a C guru, but these extracts
>>>  look like password failure logging. Are you sure they are
>>>  recording successful authentications for the logs?
>>
>>  OK. I thought the code would be the same. I *do* log failed
>>  passwords,
>>  so I sort of thought only about that string ("given password: ").
>>
>>  I enabled debug passwords on my server, to test, so I could see
>>  how it
>>  looks like in the log.
>>
>>  The "keyword" in the code seems to be "hide_pass", so if you
>>  search
>>  for that in the code, you find a few instances where passwords
>>  are
>>  (selectively) removed/replaced in a given line of text.
>>
>>  But at this point I think the easiest in this absurd (IMHO) quest
>>  of
>>  yours is to patch src/config/all-settings.c, and, around line
>>  4141:
>>
>>  static bool login_settings_check(void *_set, pool_t pool,
>>  				 const char **error_r ATTR_UNUSED)
>>  {
>>   struct login_settings *set = _set;
>>
>>   set->log_format_elements_split =
>>    p_strsplit(pool, set->login_log_format_elements, " ");
>>
>>  /* >>> INSERT HERE */
>>  	set->auth_debug_passwords = FALSE;
>>  /* */
>>
>>   if (set->auth_debug_passwords)
>>   	set->auth_debug = TRUE;
>>   if (set->auth_debug)
>>   	set->auth_verbose = TRUE;
>>  	return TRUE;
>>  }
>>
>>  If I'm right, this will just turn off the flag whenever dovecot
>>  checks
>>  the settings, i.e. regardless of what's in the actual
>>  dovecot.conf, so
>>  it should do the trick.
>>
>>  But at this point this feels like a useless homework assignment,
>>  so I
>>  think I'll stop (I used to be good with C, now I'm read/only, and
>>  my
>>  time is very limited).
>>
>>  (I do make a mental note of having a statically linked dovecot
>>  binary
>>  with forced password debugging. You never know when/where you
>>  might
>>  need it ;-)
>>
>>  Cheers and good luck,
>>  Bernardo
>>
>>>  On 2022-10-11 17:07, Bernardo Reino wrote:
>>>>   On Mon, 10 Oct 2022, Serveria Support wrote:
>>>>
>>>>>   I checked the source code on Github and discussed this with a
>>>>>   C
>>>>>   developer. There seem to be too many files... perhaps
>>>>>   somebody can
>>>>>  guide
>>>>>   me where should I look? Aki?
>>>>
>>>>   You should search for "given password" in the source.
>>>>
>>>>   Hint:
>>>>   src/auth/passdb-pam.c, around lines 175-178.
>>>>   src/auth/auth-request.c, around lines 2311-2312.
>>>>
>>>>   This is with the latest source (2.3.19.1).
>>>>
>>>>   Cheers.
>>>>
>>>>   PS: But as I noted, nothing prevents $HACKER from bringing
>>>>   their own
>>>>   dovecot (BYOD :) with all debugging options enabled, etc. As
>>>>   others
>>>>   have noted, if the intruder owns your server, you have lost.
>>>>   Period.
>>> 
>