Dovecot mail-crypt webmail can't read encrypted messages

Thu Oct 13 14:05:59 UTC 2022

Hi,

Unfortunately, after running autogen.sh and ./configure the file is 
still not there. I understand that this is not a Dovecot issue, but 
perhaps someone can help me with this?

On 2022-10-12 08:54, Bernardo Reino wrote:
> On Tue, 11 Oct 2022, Serveria Support wrote:
> 
>> I'm sorry but I wasn't able to find src/config/all-settings.c file. 
>> all-settings.h is there but all-settings.c is missing. I checked on 
>> Github (thought maybe some files failed to extract) and it's missing 
>> there too.
> 
> When building from git, you need to run ./autogen.sh first.
> ^^
> This is from the instructions in git (INSTALL.md).
> 
> This generates, among others, the file I mentioned.
> 
>> On 2022-10-11 22:15, Bernardo Reino wrote:
>>>  Please please stop top-posting. Makes a mess of everything!
>>> 
>>>  On Tue, 11 Oct 2022, Serveria Support wrote:
>>> 
>>>>  Ok, this is something... let me check...
>>>> 
>>>>  If you're you referring to these pieces of code:
>>>> 
>>>>  [...]
>>>> 
>>>>  I'm not a programmer, let alone a C guru, but these extracts
>>>>  look like password failure logging. Are you sure they are
>>>>  recording successful authentications for the logs?
>>> 
>>>  OK. I thought the code would be the same. I *do* log failed
>>>  passwords,
>>>  so I sort of thought only about that string ("given password: ").
>>> 
>>>  I enabled debug passwords on my server, to test, so I could see
>>>  how it
>>>  looks like in the log.
>>> 
>>>  The "keyword" in the code seems to be "hide_pass", so if you
>>>  search
>>>  for that in the code, you find a few instances where passwords
>>>  are
>>>  (selectively) removed/replaced in a given line of text.
>>> 
>>>  But at this point I think the easiest in this absurd (IMHO) quest
>>>  of
>>>  yours is to patch src/config/all-settings.c, and, around line
>>>  4141:
>>> 
>>>  static bool login_settings_check(void *_set, pool_t pool,
>>>  				 const char **error_r ATTR_UNUSED)
>>>  {
>>>   struct login_settings *set = _set;
>>> 
>>>   set->log_format_elements_split =
>>>    p_strsplit(pool, set->login_log_format_elements, " ");
>>> 
>>>  /* >>> INSERT HERE */
>>>  	set->auth_debug_passwords = FALSE;
>>>  /* */
>>> 
>>>   if (set->auth_debug_passwords)
>>>   	set->auth_debug = TRUE;
>>>   if (set->auth_debug)
>>>   	set->auth_verbose = TRUE;
>>>  	return TRUE;
>>>  }
>>> 
>>>  If I'm right, this will just turn off the flag whenever dovecot
>>>  checks
>>>  the settings, i.e. regardless of what's in the actual
>>>  dovecot.conf, so
>>>  it should do the trick.
>>> 
>>>  But at this point this feels like a useless homework assignment,
>>>  so I
>>>  think I'll stop (I used to be good with C, now I'm read/only, and
>>>  my
>>>  time is very limited).
>>> 
>>>  (I do make a mental note of having a statically linked dovecot
>>>  binary
>>>  with forced password debugging. You never know when/where you
>>>  might
>>>  need it ;-)
>>> 
>>>  Cheers and good luck,
>>>  Bernardo
>>> 
>>>>  On 2022-10-11 17:07, Bernardo Reino wrote:
>>>>>   On Mon, 10 Oct 2022, Serveria Support wrote:
>>>>> 
>>>>>>   I checked the source code on Github and discussed this with a
>>>>>>   C
>>>>>>   developer. There seem to be too many files... perhaps
>>>>>>   somebody can
>>>>>>  guide
>>>>>>   me where should I look? Aki?
>>>>> 
>>>>>   You should search for "given password" in the source.
>>>>> 
>>>>>   Hint:
>>>>>   src/auth/passdb-pam.c, around lines 175-178.
>>>>>   src/auth/auth-request.c, around lines 2311-2312.
>>>>> 
>>>>>   This is with the latest source (2.3.19.1).
>>>>> 
>>>>>   Cheers.
>>>>> 
>>>>>   PS: But as I noted, nothing prevents $HACKER from bringing
>>>>>   their own
>>>>>   dovecot (BYOD :) with all debugging options enabled, etc. As
>>>>>   others
>>>>>   have noted, if the intruder owns your server, you have lost.
>>>>>   Period.
>>>> 
>> 