Ubuntu
dovecot package

Dovecot Plain auth broken in 1.1.1, fixed in 1.2.1

Bug #398733 reported by Andy Brook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

I have the following config, which under 1.1.1 will not authenticate users when the password is a {plain} format value. I know the config worked pre-jaunty as Ive just transferred the files after upgrade. Downloading and building 1.2.1 with no further config changes makes the problem go away. This is a regression.

root@wb289:/usr/local/src/dovecot-1.2.1# dovecot -n
# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.28-13-generic x86_64 Ubuntu 9.04
log_path: /var/log/dovecot-error.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: pop3 pop3s
ssl_disable: yes
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/pop3-login
mail_privileged_group: jiramboxuser
mail_debug: yes
mail_executable: /usr/lib/dovecot/pop3
mail_plugin_dir: /usr/lib/dovecot/modules/pop3
auth default:
  verbose: yes
  debug: yes
  debug_passwords: yes
  worker_max_count: 50
  worker_max_request_count: 50
  passdb:
    driver: passwd-file
    args: /etc/dovecot/auth/jira.myco.net/passwd
  userdb:
    driver: static
    args: uid=7000 gid=7000 mail=mbox:/var/mail/vhosts/%d/%n nice=10
  userdb:
    driver: passwd

Mark Beukers (mark-shard)
affects: ubuntu → dovecot (Ubuntu)
Brian Murray (brian-murray)
tags: added: regression-release
Revision history for this message
Chuck Short (zulcss) wrote :

Can you try the version in my ppa (http://loaunchpad.net/~zulcss/+archive)?

Thanks
chuck

Changed in dovecot (Ubuntu):
status: New → In Progress
Revision history for this message
Dan Riley (bearsaxman) wrote :

I believe this problem also exists in Hardy. Following is a log message that illustrates the issue:

Aug 14 12:34:57 ubuntumailsvr dovecot: auth(default): sql(***USERNAME OMITTED***,127.0.0.1): CRYPT(trader) != '$1$crGRJM.l$WFcCPMqyDT1AB9gkkdnyN/

Using a PHP function, I can feed the password and hash in against the CRYPT() function for a successful match.

Revision history for this message
Chuck Short (zulcss) wrote :

Can you try the version in my PPA?

Thanks
chuck

Artur Rona (ari-tczew)
tags: added: upgrade
Revision history for this message
Dan Riley (bearsaxman) wrote :

I need to rescind my bug report. The problem was located and existed with hidden characters in the password database. My apologies for a false bug report.

Revision history for this message
Ante Karamatić (ivoks) wrote :

Andy, I can't see:

mechanisms: plain login

under 'auth default' in your configuration. Could you check if that exists?

Changed in dovecot (Ubuntu):
status: In Progress → Incomplete
importance: Undecided → Medium
Revision history for this message
Andy Brook (javahollic) wrote :

I don't see the original config file attached here, so I attach (see line 847). another dump of the current dovecot settings (which doesn't tell me the exact release 1.1.1.XXX )

My current deb version is '1:1.1.11-0ubuntu4', which according to http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/ got released in April, so that must be the version I had then

I have just switched back from 1.2.1 to the current 1.1.1.11 ubuntu version. Annoyingly I cannot now replicate the problem in that version. I wonder if by installing 1.2.1 Ive overwritten the /usr/lib/dovecot files so cannot now reproduce? this would fit as the pop login bit is what was causing the problem.

Does the attached config file help? When would 1.2.x be coming into Ubuntu land anyway?

Revision history for this message
Ante Karamatić (ivoks) wrote :

Well, 'mechanisms' defines what kind of authentication dovecot accepts. In your previous config, you didn't have any mechanisms defined. I haven't checked, but I'd guess that without those authentication wouldn't work. Plain text mechanisms are plain and login. If you don't use dovecot as SMTP-AUTH backend for postfix, plain is enough. 'login' is needed for Outlook when dovecot is used as smtp-auth.

I guess your problem was in missing mechanisms. You could try removing it (commenting it out) and then try plain text auth. Please report if that was an issue.

Revision history for this message
Ante Karamatić (ivoks) wrote :

More here:

http://wiki.dovecot.org/Authentication/Mechanisms

Chuck Short (zulcss)
Changed in dovecot (Ubuntu):
milestone: none → ubuntu-9.10
Mathias Gug (mathiaz)
Changed in dovecot (Ubuntu):
milestone: ubuntu-9.10 → none
Revision history for this message
Chuck Short (zulcss) wrote :

This should be fixed for lucid.

Regards
chuck

Changed in dovecot (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.