Bug 39317

Summary: pam_univentionmailcyrus.so ignores univentionMailHomeServer
Product: UCS Reporter: Daniel Tröder <troeder>
Component: MailAssignee: Mail maintainers <mail-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: best, birkefeld, gohmann, schwardt
Version: UCS 4.0   
Target Milestone: UCS 4.0-x   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=38804
What kind of report is it?: Bug Report What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 38387    
Bug Blocks: 38457    

Description Daniel Tröder univentionstaff 2015-09-08 11:08:22 CEST 
+++ This bug was initially created as a clone of Bug #38387 +++

univentionmailcyrus.so does not honor univentionMailHomeServer.

This results with Dovecot in an "Internal login failure", because for a user with a homeServer!=self PAM authentication succeeds, but the LDAP lookup fails. Dovecot interprets this as his own fault.
This is not a problem for the functioning of Dovecot, just a ugly log message.

----- message to imap client:
imaplib.error: [UNAVAILABLE] Internal error occurred. Refer to server log for more information.
-----
----- message in dovecot server log:
dovecot: imap: Error: Authenticated user not found from userdb
-----

Authentication should only succeed if the user has a mail account on the local server (univentionMailHomeServer=FQDN) or univentionMailHomeServer is empty.

---------------------------

Until solved, the test 40_mail/29_mail_related_modifications_of_user_objects treats the error "[UNAVAILABLE] Internal error occurred" as an (expected) login error.
Comment 1 Florian Best univentionstaff 2015-10-05 17:02:02 CEST 
It defines also the search filter without escaping the values:
152    snprintf(filter, BUFSIZ, "(&(%s=%s)(%s=*))", fromattr, fromuser, toattr);

where fromuser is a not ldap-filter-escaped string given by user input which e.g. could be '*' or '*)(foo=bar'.
Comment 2 Stefan Gohmann univentionstaff 2019-01-03 07:16:22 CET 
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.