Univention Bugzilla – Bug 49038
[4.4] Dovecot allows login via $UID even if no mailPrimaryAddress is specified in LDAP
Last modified: 2019-04-10 14:19:08 CEST
Merge and release in 4.4-0-errata. +++ This bug was initially created as a clone of Bug #48628 +++ Currently dovecot allows a IMAP login via $UID even if no mailPrimaryAddress is specified for that user object in LDAP. Since dovecot creates IMAP mailboxes on demand, a mailbox is created directly within the "private/" directory without mail domain subdirectory → "private/$LOCALPART/" (see below → user3). Users with specified mailPrimaryAddress are placed correctly in "private/$DOMAIN/$LOCALPART/" # cd /var/spool/dovecot/ # find . -maxdepth 3 -type d . ./public ./private ./private/user3 ./private/user3/Maildir ./private/nstx.local ./private/nstx.local/user26 ./private/nstx.local/user36 ./private/nstx.local/user24 [...] This is no security issue, since the password for IMAP login still has to correct.
[4.4-0] 2bdba552f8 Bug #49038: prevent initial login of user without email address [4.4-0] 32dff9f63f Bug #49038: changelog [4.4-0] 2a69c6ff09 Bug #49038: advisory univention-mail-dovecot (5.0.1-2)
This change breaks 40_mail.25_imap_acls_correctly_respected.test and 40_mail/43_dovecot_shared_folder_create_subfolder_with_acls
please consider http://jenkins.knut.univention.de:8080/view/Seed%20Jobs/job/UCS-4.4/job/UCS-4.4-0/job/branch%20test%20mail%20joined-master/ to avoid test regressions in the future
The use of --- doveadm acl {delete,set} -u Administrator mailbox permissions... --- was replaced with --- doveadm acl {delete,set} -A mailbox permissions... --- because "Administrator" could not log in anymore, if it has no mailPrimaryAddress. [4.4-0] fee9eff386 Bug #49038: use doveadm without a user, as it'd now requires an email address [4.4-0] 199a1948da Bug #49038: update advisory univention-mail-dovecot (5.0.1-3)
(In reply to Felix Botner from comment #3) > please consider > http://jenkins.knut.univention.de:8080/view/Seed%20Jobs/job/UCS-4.4/job/UCS- > 4.4-0/job/branch%20test%20mail%20joined-master/ to avoid test regressions in > the future Excellent - thank you.
Instead of using "-A", which can have a serious performance impact iterating over all users, the LDAP filter now allows (only) the "Administrator" user to login without it having an email address. [4.4-0] 2c5b59065d Revert "Bug #49038: use doveadm without a user, as it'd now requires an email address" [4.4-0] c3b81ba012 Bug #49038: revert 5.0.1-3 (use doveadm without a user), allow Administrator user instead [4.4-0] a6769a3593 Bug #49038: advisory update univention-mail-dovecot (5.0.1-5)
Using hardcoded "Administrator" breaks some environments (e.g. french UCS), you can use this instead: from univention.lib.misc import custom_username escape_filter_chars(custom_username('Administrator')) (I wonder why an exception for Administrator is necessary, would be kind if there is a textual description instead of a Jenkins link).
(In reply to Florian Best from comment #7) > Using hardcoded "Administrator" breaks some environments (e.g. french UCS), > you can use this instead: > > from univention.lib.misc import custom_username > escape_filter_chars(custom_username('Administrator')) I added it. [4.4-0] 262fb2892f Bug #49038: handle localized Administrator username [4.4-0] c5876e51ca Bug #49038: advisory update univention-mail-dovecot (5.0.1-6) > (I wonder why an exception for Administrator is necessary, would be kind if > there is a textual description instead of a Jenkins link). See comment6.
[4.4-0] f742728c9c Bug #49038: localize Administrator username also in config template [4.4-0] 4f9f661a01 Bug #49038: changelog [4.4-0] b2f82c3ac2 Bug #49038: advisory update
The username is not ldap-filter escaped! (In reply to Florian Best from comment #7) > from univention.lib.misc import custom_username > escape_filter_chars(custom_username('Administrator'))
[4.4-0] 36131f20ed Bug #49038: escape LDAP filter [4.4-0] 7de4643baa Bug #49038: advisory update
(In reply to Florian Best from comment #7) > Using hardcoded "Administrator" breaks some environments (e.g. french UCS), > you can use this instead: Good point! Thx. > (I wonder why an exception for Administrator is necessary, would be kind if > there is a textual description instead of a Jenkins link). Previously, all LDAP users could log in to the Dovecot -- regardless of whether their user object contains a primary mail address at all. However, this leads to "wrong" IMAP mailboxes being created on-the-fly in the Dovecot mailspool when users without a mail address log on. So far, we used doveadm with a concrete user ("-u Administrator") who can log on to Dovecot. The user is required by dovecot to perform ACL modifications. With the adjustment of the LDAP filter, the Administrator could only log on to Dovecot if a primary mail address was set manually for the Administrator and was therefore initially excluded as a candidate for "doveadm". As an alternative one can use "doveadm -A", which iterates over all users known for dovecot. The part "all users known for dovecot" is the problematic part here: in school environments the command would try to modify the ACLs with every pupil/teacher object. For this the objects have to be pulled out of the LDAP first, which takes some time and memory for domains with >50.000 user objects. In order not to have to create a user with a known mail address in LDAP especially for this task, the workaround was chosen that the Administrator can still log in directly to the Dovecot, even if no primary mail address is set at his user object. This should limit the problem extremely and keeps the effort for a solution low. OK: code change OK: manual test OK: advisory ??: automatic tests
OK: automatic tests
<http://errata.software-univention.de/ucs/4.4/45.html>