Skip to content

fix: Correctly support multiple Dovecot PassDBs#3812

Merged
georglauterbach merged 4 commits intodocker-mailserver:masterfrom
polarathene:fix/support-multiple-dovecot-auth
Jan 23, 2024
Merged

fix: Correctly support multiple Dovecot PassDBs#3812
georglauterbach merged 4 commits intodocker-mailserver:masterfrom
polarathene:fix/support-multiple-dovecot-auth

Conversation

@polarathene
Copy link
Copy Markdown
Member

@polarathene polarathene commented Jan 23, 2024
edited
Loading

Description

Implemented fix as proposed at: #3801 (comment)

  • Additional test coverage added for OAuth2 (SMTP Auth + use curl for IMAP Auth test as well)
  • plain login is used since this is intended for a bug fix release. In future we should probably drop login support.

fix: Dovecot PassDB should restrict allowed auth mechanisms:

  • This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban.
  • Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used.

tests: Use curl for OAuth2 login test-cases instead of netcat:

  • curl provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both XOAUTH2 and OAUTHBEARER mechanisms, as these updated test-cases demonstrate.

Fixes #3801

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • If necessary I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have added information about changes made in this PR to CHANGELOG.md

@polarathene
fix: Dovecot PassDB should restrict allowed auth mechanisms
80809c6 
This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban.

Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used.
@polarathene polarathene added this to the v13.3.1 milestone Jan 23, 2024
@polarathene polarathene self-assigned this Jan 23, 2024
@polarathene
tests: Use curl for OAuth2 login test-cases instead of netcat
8d85c02 
`curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate.
@polarathene
chore: Add entry to CHANGELOG.md
1293591
@polarathene polarathene force-pushed the fix/support-multiple-dovecot-auth branch from 72c7f88 to 1293591 Compare January 23, 2024 06:13
georglauterbach
georglauterbach approved these changes Jan 23, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@georglauterbach georglauterbach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 When 13.3.1 is out, I will rebase my sending-filtering-in-tests-PR to update the helpers.

@georglauterbach georglauterbach merged commit 611a66b into docker-mailserver:master Jan 23, 2024
@polarathene polarathene mentioned this pull request Aug 4, 2024
Open
@nowheretobefound nowheretobefound mentioned this pull request Sep 8, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@casperklein casperklein casperklein approved these changes

@georglauterbach georglauterbach georglauterbach approved these changes

Assignees

@polarathene polarathene

Labels

area/configuration (file) area/tests kind/bug/fix A fix (PR) for a confirmed bug service/dovecot service/security/fail2ban

Projects

None yet

Milestone

v13.3.1

Development

Successfully merging this pull request may close these issues.

bug report: OAUTH2 auth results in eventual client IP ban if fail2ban enabled

3 participants

@polarathene @casperklein @georglauterbach