Bug 48628 - Dovecot allows login via $UID even if no mailPrimaryAddress is specified in LDAP
Dovecot allows login via $UID even if no mailPrimaryAddress is specified in LDAP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-3-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on:
Blocks: 49038
  Show dependency treegraph
 
Reported: 2019-02-07 16:36 CET by Sönke Schwardt-Krummrich
Modified: 2019-04-10 14:35 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.051
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-02-07 16:36:54 CET
Currently dovecot allows a IMAP login via $UID even if no mailPrimaryAddress is specified for that user object in LDAP. Since dovecot creates IMAP mailboxes on demand, a mailbox is created directly within the "private/" directory without mail domain subdirectory → "private/$LOCALPART/" (see below → user3). 
Users with specified mailPrimaryAddress are placed correctly in "private/$DOMAIN/$LOCALPART/"

# cd /var/spool/dovecot/
# find . -maxdepth 3 -type d
.
./public
./private
./private/user3
./private/user3/Maildir
./private/nstx.local
./private/nstx.local/user26
./private/nstx.local/user36
./private/nstx.local/user24
[...]

This is no security issue, since the password for IMAP login still has to correct.
Comment 1 Daniel Tröder univentionstaff 2019-03-19 15:06:00 CET
The LDAP filter now prevents users without a mailPrimaryAddress to succeed in the userdb stage.

However because the user did 1st successfully authenticate but then could not be found in the user DB, there will be an error message:

----------------------------------
dovecot: imap-login: Internal login failure (pid=10619 id=1) (internal failure, 1 successful auths)
----------------------------------

This "internal failure" can be safely ignored.


[4.3-3] 7c3eef5f93 Bug #48628: prevent initial login of user without email address
[4.3-3] 3448c6d126 Bug #48628: changelog
[4.3-3] c564a7c9d8 Bug #48628: advisory

univention-mail-dovecot (4.0.0-14)
Comment 2 Daniel Tröder univentionstaff 2019-03-20 13:50:04 CET
The use of
---
doveadm acl {delete,set} -u Administrator mailbox permissions...
---
  was replaced with
---
doveadm acl {delete,set} -A mailbox permissions...
---
because "Administrator" could not log in anymore, if it has no mailPrimaryAddress.

[4.3-3] 87c482a4f9 Bug #49038: use doveadm without a user, as it'd now requires an email address
[4.3-3] 6e4302ebec Bug #48628: update advisory

univention-mail-dovecot (4.0.0-15)
Comment 3 Daniel Tröder univentionstaff 2019-04-04 16:48:25 CEST
Instead of using "-A", which can have a serious performance impact iterating over all users, the LDAP filter now allows (only) the "Administrator" user to login without it having an email address.

[4.3-3] 85c4b7cd2c Revert "Bug #48628: use doveadm without a user, as it'd now requires an email address"
[4.3-3] 144fccdc7d Bug #48628: revert 4.0.0-17 (use doveadm without a user), allow Administrator user instead
[4.3-3] f26c839bde Bug #48628: advisory update

univention-mail-dovecot (4.0.0-17)
Comment 4 Daniel Tröder univentionstaff 2019-04-04 20:39:13 CEST
[4.3-3] c7a0d8dba0 Bug #48628: handle localized Administrator username
[4.3-3] 775fe5f7c3 Bug #48628: advisory update

univention-mail-dovecot (4.0.0-18)
Comment 5 Daniel Tröder univentionstaff 2019-04-09 15:20:15 CEST
[4.3-3] cac7a35b2f Bug #48628: localize Administrator username also in config template
[4.3-3] b4fe7353d5 Bug #48628: changelog
[4.3-3] e291610a11 Bug #48628: advisory update
Comment 6 Daniel Tröder univentionstaff 2019-04-09 15:40:03 CEST
[4.3-3] a33fa84030 Bug #48628: escape LDAP filter
[4.3-3] b9cd67b4f4 Bug #48628: advisory update
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2019-04-09 16:09:08 CEST
> (I wonder why an exception for Administrator is necessary, would be kind if
> there is a textual description instead of a Jenkins link).

Previously, all LDAP users could log in to the Dovecot -- regardless of whether their user object contains a primary mail address at all. However, this leads to "wrong" IMAP mailboxes being created on-the-fly in the Dovecot mailspool when users without a mail address log on.
So far, we used doveadm with a concrete user ("-u Administrator") who can log on to Dovecot. The user is required by dovecot to perform ACL modifications.
With the adjustment of the LDAP filter, the Administrator could only log on to Dovecot if a primary mail address was set manually for the Administrator and was therefore initially excluded as a candidate for "doveadm".

As an alternative one can use "doveadm -A", which iterates over all users known for dovecot. The part "all users known for dovecot" is the problematic part here: in school environments the command would try to modify the ACLs with every pupil/teacher object. For this the objects have to be pulled out of the LDAP first, which takes some time and memory for domains with >50.000 user objects.

In order not to have to create a user with a known mail address in LDAP especially for this task, the workaround was chosen that the Administrator can still log in directly to the Dovecot, even if no primary mail address is set at his user object. 
This should limit the problem extremely and keeps the effort for a solution low.


OK: code change
OK: manual test
OK: advisory
??: automatic tests
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2019-04-10 09:33:00 CEST
OK: automatic tests
Comment 9 Erik Damrose univentionstaff 2019-04-10 14:35:28 CEST
<http://errata.software-univention.de/ucs/4.3/474.html>