Mail authorization problems after upgrade to 1.7.0

thorvald · March 23, 2023, 3:04pm

After upgrade to 1.7.0 i got many errors like
auth: Info: passwd-file([email protected],XXX.XXX.XXX.XXX,<dfadasdfasdffdsg>): Password mismatch
It happened because after rebuild mail domain, all hash schemas became BLF-CRYPT. But I have some old mail boxes, migrated from vestacp with MD5 and SSHA512. After rebuild, they became BLF-CRYPT and authorization broken.
I restore these settings from backup, but have question.
Is there some way to avoid a situation like this in the future, except recreate new passwords for users? I know that it is a necessary way for security, but.

eris · March 23, 2023, 5:24pm

We should never update the password for the mail accounts on rebuild:

github.com

hestiacp/hestiacp/blob/974f6885bb2a686c1e919e3ce4f97db4cf54a526/func/rebuild.sh#L682C2-L704


      
          	if [ -e "$USER_DATA/mail/$domain.conf" ]; then
          		accounts=$(search_objects "mail/$domain" 'SUSPENDED' "no" 'ACCOUNT')
          	else
          		accounts=''
          	fi
          	for account in $accounts; do
          		((++accs))
          		object=$(grep "ACCOUNT='$account'" $USER_DATA/mail/$domain.conf)
          		FWD_ONLY='no'
          		parse_object_kv_list "$object"
          		if [ "$SUSPENDED" = 'yes' ]; then
          			MD5='SUSPENDED'
          		fi
          
          
		if [[ "$MAIL_SYSTEM" =~ exim ]]; then
          			if [ "$QUOTA" = 'unlimited' ]; then
          				QUOTA=0
          			fi
          			str="$account:$MD5:$user:mail::$HOMEDIR/$user:${QUOTA}:userdb_quota_rule=*:storage=${QUOTA}M"
          			echo $str >> $HOMEDIR/$user/conf/mail/$domain/passwd

This file has been truncated. show original

Wonder what the contents was of /usr/local/hestia/data/users/user/mail/domain.com.conf

ballen · March 26, 2023, 7:01pm

I’m having the same issue.

I didn’t do anything special - my server just automatically updated to 1.7.0 and now I get the same errors in my /var/log/dovecot.log file:

Mar 26 19:56:05 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Mar 26 19:56:24 imap-login: Info: Login: user=[email protected], method=PLAIN, rip=X.X.X.X, lip=X.X.X.X, mpid=732197, TLS, session=
Mar 26 19:56:28 imap([email protected])<732197>: Info: Disconnected: Connection closed (IDLE running for 0.001 + waiting input for 0.016 secs, 2 B in + 10 B out, state=wait-input) in=743 out=2906 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

…and I’m unable to login to my mail both via. Outlook and Roundcube (as expected)

Is there a fix for this? - eg. simply reset the mailbox password or do I delete and re-create the mailbox

eris · March 26, 2023, 7:03pm

Can you DM me the contents of /usr/local/hestia/data/users/{user}/mail/domain.conf of a an affected domain?

ballen · March 26, 2023, 8:37pm

Sent - Thank you @eris

thorvald · March 28, 2023, 2:38pm

Yes, I found stored wrong password hashes in /usr/local/hestia/data/users/user/mail/domain.com.conf .
І know what happened, now. Thank you.
When I migrated from old vesta server I manually migrate data from exim directory after create same users on new server but forgot about domain.com.conf and data there.

MrTux · April 30, 2023, 8:21pm

Same problem, after the update all emails with MD5 hashed password are inaccessible from Roundcube, new accounts with BLF-CRYPT hashed password work normally.

/etc/exim4/domains/mydomain.it/passwd

info:{MD5}$1$TJxc…
webmaster:{MD5}$1$XEXZ…
emilio:{BLF-CRYPT}$2y$05$RE…

eris · April 30, 2023, 10:18pm

Strange issue…

Have no idea why it broke…

MrTux · May 1, 2023, 8:30am

It appears Debian 11 drops MD5 password compatibility.

https://forum.virtualmin.com/t/upgrade-to-debian-11-breaks-really-old-md5-password-comparability/119144

eris · May 1, 2023, 7:06pm

Can you check if you didn’t accidentally updated the config files in /etc/dovecot/conf.d/auth-passwdfile.conf.ext