Package: dovecot-core Version: 1:2.4.1+dfsg1-6 Severity: important Dear Maintainer,
I just upgraded from bookworm to trixie, and while I have run dovecot for many years, it's certainly possible that I made mistakes when upgrading the configuration in conf.d/auth-system.conf.ext and local.conf: Intermittently, when I authenticate one user (allan) the mailbox for another user (mona) is returned. This means the user allan does not have access to his (my) mailbox but does have access to another user mona. This is obviously an important security issue. 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=172639,uid=104) [4]: Server accepted connection (fd=20) 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=172639,uid=104) [4]: auth client connected (pid=172639) 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=172639,uid=104) [4]: client in: AUTH 1 PLAIN protocol=imap final-resp-ok secured=tls session=8FSud2Q/NAlQ0ERJ lip=94.130.138.34 rip=80.208.68.73 lport=993 rport=2356 ssl_ja3_hash=7e5bb223c6403ba3556b1e8e412c10cc local_name=imaps.lifeintegrity.com resp=<hidden> 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: Performing passdb lookup 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: lookup: user=allan file=/etc/dovecot/passwd 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: Finished passdb lookup 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: Auth request finished 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=172639,uid=104) [4]: client passdb out: OK 1 user=allan 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:/run/dovecot/auth-master (pid=172640,uid=0): Server accepted connection (fd=21) 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: master in: REQUEST 1699479553 172639 1 83b0300df2b12c32649c1378a87a0181 session_pid=172640 request_auth_token 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: Performing userdb lookup 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: userdb cache hit: system_groups_user=mona uid=1001 home=/home/mona gid=100 user=mona 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: username changed allan -> mona 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth(mona,80.208.68.73,sasl:plain)<8FSud2Q/NAlQ0ERJ>: Debug: passwd: Finished userdb lookup 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: master userdb out: USER 1699479553 mona system_groups_user=mona uid=1001 home=/home/mona gid=100 auth_mech=PLAIN auth_token=bf855a8734f510b0f07bdbabbc975853beb7832a auth_user=allan local_name=imaps.lifeintegrity.com 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: imap-login: Logged in: user=<allan>, method=PLAIN, rip=80.208.68.73, lip=94.130.138.34, mpid=172640, TLS, session=<8FSud2Q/NAlQ0ERJ> 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=172639,uid=104) [4]: Disconnected: Connection closed (fd=20) 2025-09-22T14:16:37.888+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:/run/dovecot/auth-master (pid=172640,uid=0): auth-master client: Disconnected: Connection closed (fd=21) (created 5 msecs ago, handshake 4 msecs ago) Here is the expected behavior: 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=173206,uid=104) [6]: Server accepted connection (fd=20) 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=173206,uid=104) [6]: auth client connected (pid=173206) 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=173206,uid=104) [6]: client in: AUTH 1 PLAIN protocol=imap final-resp-ok secured=tls session=zS9/2WQ/WQlQ0ERJ lip=94.130.138.34 rip=80.208.68.73 lport=993 rport=2393 ssl_ja3_hash=fa9d6dd2b3ff23dc54a6c5941bff7f71 local_name=imaps.lifeintegrity.com resp=<hidden> 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: Performing passdb lookup 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: lookup: user=allan file=/etc/dovecot/passwd 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: Finished passdb lookup 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: Auth request finished 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=173206,uid=104) [6]: client passdb out: OK 1 user=allan 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:/run/dovecot/auth-master (pid=173207,uid=0): Server accepted connection (fd=21) 2025-09-22T14:43:58.889+00:00 ifufe dovecot[172442]: auth: Debug: master in: REQUEST 1836187649 173206 1 c7c590e9f97d06d1a12c30ca2eb7d461 session_pid=173207 request_auth_token 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: Performing userdb lookup 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: userdb cache hit: system_groups_user=allan uid=1000 home=/home/allan gid=100 user=allan 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth(allan,80.208.68.73,sasl:plain)<zS9/2WQ/WQlQ0ERJ>: Debug: passwd: Finished userdb lookup 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth: Debug: master userdb out: USER 1836187649 allan system_groups_user=allan uid=1000 home=/home/allan gid=100 auth_mech=PLAIN auth_token=8c40b4f7ac761d27c52dea34e0078b914018da73 local_name=imaps.lifeintegrity.com 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: imap-login: Logged in: user=<allan>, method=PLAIN, rip=80.208.68.73, lip=94.130.138.34, mpid=173207, TLS, session=<zS9/2WQ/WQlQ0ERJ> 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:login (pid=173206,uid=104) [6]: Disconnected: Connection closed (fd=20) 2025-09-22T14:43:58.890+00:00 ifufe dovecot[172442]: auth: Debug: conn unix:/run/dovecot/auth-master (pid=173207,uid=0): auth-master client: Disconnected: Connection closed (fd=21) (created 5 msecs ago, handshake 5 msecs ago) conf.d/auth-system.conf.ext: # Authentication for system users. Included from auth.conf. # # <https://doc.dovecot.org/latest/core/config/auth/passdb.html> # <https://doc.dovecot.org/latest/core/config/auth/userdb.html> # Driver is only needed if the section name is not same as driver's name. # PAM authentication. Preferred nowadays by most systems. # PAM is typically used with either userdb passwd or userdb static. # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM # authentication to actually work. <https://doc.dovecot.org/latest/core/config/auth/databases/pam.html> #passdb pam { # driver = pam # session = yes # setcred = yes # failure_show_msg = yes # max_requests = 20 # service_name = dovecot # skip = authenticated # fields { # } #} # # System users (NSS, /etc/passwd, or similiar). # In many systems nowadays this uses Name Service Switch, which is # configured in /etc/nsswitch.conf. <https://doc.dovecot.org/latest/core/config/auth/databases/passwd.html> #passdb passwb { #} # PAM-like authentication for OpenBSD. # <https://doc.dovecot.org/latest/core/config/auth/databases/bsd.html> #passdb bsdauth { #} passdb passwd { driver = passwd-file passwd_file_path = /etc/dovecot/passwd } ## ## User databases ## # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this # uses Name Service Switch, which is configured in /etc/nsswitch.conf. #userdb passwd-file { #driver = passwd-file #auth_username_format=%{user|lower} #passwd_file_path = /etc/passwd #fields { # user= %{user|lower} # name = %{user|lower} # home = /var/vmail/%{user} #} #skip = found #} # Static settings generated from template <https://doc.dovecot.org/latest/core/config/auth/databases/static.html> #userdb static { #driver = static # Can return anything a userdb could normally return. For example: # fields { # uid = 500 # gid = 500 # home = /var/mail/%{user} # } # LDA and LMTP needs to look up users only from the userdb. This of course # doesn't work with static userdb because there is no list of users. # Normally static userdb handles this by doing a passdb lookup. This works # with most passdbs, with PAM being the most notable exception. If you do # the user verification another way, you can add allow_all_users=yes # in which case the passdb lookup is skipped. #allow_all_users = yes #} userdb passwd { driver = passwd } local.conf: #sieve_before = /var/lib/dovecot/sieve.d/ auth_cache_size = 1M auth_failure_delay = 30 secs auth_verbose = yes imap_idle_notify_interval = 29 mins imapsieve_from Spam { sieve_script ham { type = before cause = copy # path = /etc/dovecot/sieve/ham.sieve path = /var/lib/dovecot/sieve/report_ham.sieve } } log_debug = category=auth log_path = syslog mail_driver = maildir mail_path = /var/mail/%{user} mailbox Spam { sieve_script spam { type = before cause = copy # path = /etc/dovecot/sieve/spam.sieve path = /var/lib/dovecot/sieve/report_spam.sieve } } protocol imap { mail_max_userip_connections = 32 mail_plugins { imap_sieve = yes } namespace inbox { mailbox Drafts { autoexpunge = 30d } mailbox Spam { autoexpunge = 30d } mailbox Trash { autoexpunge = 30d } } } protocol lda { mail_plugins { sieve = yes } } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } vsz_limit = 2G } service imap-login { inet_listener imap { port = 0 } } sieve_global_extensions { vnd.dovecot.pipe = yes vnd.dovecot.environment = yes } sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes } ssl = required ssl_server_cert_file = /etc/ssl/certs/imaps.lifeintegrity.com-cert.pem ssl_server_key_file = /etc/ssl/private/imaps.lifeintegrity.com-key.pem /Allan -- Package-specific info: dovecot configuration --------------------- # 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4 (0a86619f) # OS: Linux 6.12.43+deb13-amd64 x86_64 Debian 13.1 ext4 # Hostname: ifufe.lifeintegrity.com # 4 default setting changes since version 2.4.0 dovecot_config_version = 2.4.0 auth_cache_size = 1M auth_failure_delay = 30 secs auth_verbose = yes dovecot_storage_version = 2.4.0 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes imap_idle_notify_interval = 29 mins log_debug = category=auth mail_driver = maildir mail_home = /home/%{user|username} mail_inbox_path = /var/mail/%{user} mail_path = /var/mail/%{user} mail_privileged_group = mail protocols { imap = yes } sieve_global_extensions { vnd.dovecot.pipe = yes vnd.dovecot.environment = yes } sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes } ssl = required passdb passwd { driver = passwd-file passwd_file_path = /etc/dovecot/passwd } userdb passwd { driver = passwd } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service submission { } service auth { vsz_limit = 2G unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service auth-worker { } service dict { unix_listener dict { } } ssl_server { cert_file = /etc/ssl/certs/imaps.lifeintegrity.com-cert.pem key_file = /etc/ssl/private/imaps.lifeintegrity.com-key.pem } protocol lda { mail_plugins { sieve = yes } } protocol imap { mail_max_userip_connections = 32 mail_plugins { imap_sieve = yes } namespace inbox { mailbox Drafts { autoexpunge = 30d } mailbox Spam { autoexpunge = 30d } mailbox Trash { autoexpunge = 30d } } } imapsieve_from Spam { sieve_script ham { cause = copy path = /var/lib/dovecot/sieve/report_ham.sieve type = before } } mailbox Spam { sieve_script spam { cause = copy path = /var/lib/dovecot/sieve/report_spam.sieve type = before } } -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.43+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages dovecot-core depends on: ii adduser 3.152 ii dovecot-sieve 1:2.4.1+dfsg1-6 ii init-system-helpers 1.69~deb13u1 ii libapparmor1 4.1.0-1 ii libbz2-1.0 1.0.8-6 ii libc6 2.41-12 ii libcap2 1:2.75-10+b1 ii libcrypt1 1:4.4.38-1 ii libexttextcat-2.0-0 3.4.7-1+b1 ii libicu76 76.1-4 ii liblua5.4-0 5.4.7-1+b2 ii liblz4-1 1.10.0-4 ii libpam-runtime 1.7.0-5 ii libpam0g 1.7.0-5 ii libsodium23 1.0.18-1+b2 ii libssl3t64 3.5.1-1 ii libstemmer0d 2.2.0-4+b2 ii libsystemd0 257.8-1~deb13u2 ii libtirpc3t64 1.3.6+ds-1 ii libunwind8 1.8.1-0.1 ii libzstd1 1.5.7+dfsg-1 ii openssl 3.5.1-1 ii ssl-cert 1.1.3 ii ucf 3.0052 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 dovecot-core recommends no packages. Versions of packages dovecot-core suggests: pn dovecot-flatcurve <none> pn dovecot-gssapi <none> ii dovecot-imapd 1:2.4.1+dfsg1-6 pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> pn dovecot-pgsql <none> pn dovecot-pop3d <none> pn dovecot-solr <none> pn dovecot-sqlite <none> pn dovecot-submissiond <none> pn ntp <none> Versions of packages dovecot-core is related to: ii dovecot-core [dovecot-common] 1:2.4.1+dfsg1-6 pn dovecot-dev <none> pn dovecot-gssapi <none> ii dovecot-imapd 1:2.4.1+dfsg1-6 pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> pn dovecot-pgsql <none> pn dovecot-pop3d <none> ii dovecot-sieve 1:2.4.1+dfsg1-6 pn dovecot-sqlite <none> -- no debconf information
