View Issue Details

IDProjectCategoryView StatusLast Update
0005479SOGosogo-toolpublic2022-02-17 15:12
Reporterrschuetz Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version5.6.0 
Summary0005479: sogo-tool Sieve operations cause IMAP authentication failures
Description

sogo-tool commands that utilize ManageSieve also cause IMAP authentication failures. While SASL PLAIN is used for ManageSieve with proper authorization identity (authzid), authentication identity (authcid) and password (passwd), sogo-tool attempts IMAP authentication with the LOGIN command as well. This obviously fails because the LOGIN command only accepts authcid and passwd. I'm not sure why an IMAP connection is needed here at all, but authentication must be done with SASL PLAIN to provide the authzid.

TagsNo tags attached.

Activities

francis

francis

2022-02-11 19:34

administrator   ~0015856

What exact command are you using with sogo-tool?

rschuetz

rschuetz

2022-02-11 19:53

reporter   ~0015857

e.g. sogo-tool update-autoreply -p /etc/sogo/sieve.creds or sogo-tool user-preferences unset defaults user -p /etc/sogo/sieve.creds Forward

francis

francis

2022-02-11 20:39

administrator   ~0015858

The IMAP login (and list operation) is required to fetch the IMAP delimiter character. It falls back to NGImap4ConnectionStringSeparator.

rschuetz

rschuetz

2022-02-11 21:48

reporter   ~0015859

But the way it is currently implemented IMAP authentication does not work. The username and password from the admin credentials file are not necessarily valid for the IMAP LOGIN command and as a side effect sogo-tool often hangs for several minutes until Dovecot closes the unauthenticated IMAP connection. The credentials must be used with SASL PLAIN (RFC 4616) and the user that should be impersonated (authzid) must be specified like it is already done for ManageSieve.

francis

francis

2022-02-15 18:19

administrator   ~0015868

sogo-tool is properly doing a proxy authentication.

Sniff the traffic to see why is sogo-tool hanging.

rschuetz

rschuetz

2022-02-16 09:01

reporter   ~0015875

Running sogo-tool with IMAP debugging clearly shows otherwise. Hanging seems to be caused by ignoring the authentication failure and sending the next command (LIST) to quickly.

# sogo-tool user-preferences unset defaults user -p /etc/sogo/sieve.creds Forward
<0x0x563d0b2db350[SOGoCache]> Cache cleanup interval set every 300.000000 seconds
<0x0x563d0b2db350[SOGoCache]> Using host(s) 'localhost' as server(s)
S[0x563d0b216cf0]: "IMPLEMENTATION" "Dovecot (Debian) Pigeonhole"
S[0x563d0b216cf0]: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
S[0x563d0b216cf0]: "NOTIFY" "mailto"
S[0x563d0b216cf0]: "SASL" ""
S[0x563d0b216cf0]: "STARTTLS"
S[0x563d0b216cf0]: "VERSION" "1.0"
S[0x563d0b216cf0]: OK "Dovecot (Debian) ready."
C: STARTTLS
S[0x563d0b216cf0]: OK "Begin TLS negotiation now."
<0x0x563d0afc2bc0[NGSieveClient]> TLS started successfully.
S[0x563d0b216cf0]: "IMPLEMENTATION" "Dovecot (Debian) Pigeonhole"
S[0x563d0b216cf0]: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
S[0x563d0b216cf0]: "NOTIFY" "mailto"
S[0x563d0b216cf0]: "SASL" "PLAIN"
S[0x563d0b216cf0]: "VERSION" "1.0"
S[0x563d0b216cf0]: OK "TLS negotiation successful."
C: AUTHENTICATE "PLAIN" {%d+}
LOGIN:PASSWORD

S[0x563d0b216cf0]: OK "Logged in."
C: LISTSCRIPTS
S[0x563d0b519c50]: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.
C[0x563d0b4e81e0]: 1 login "adminuser" "adminpassword"
S[0x563d0b519c50]: 1 NO [AUTHENTICATIONFAILED] Authentication failed.
C[0x563d0b4e81e0]: 2 LIST "" ""
<hangs here>
S[0x563d0b519c50]: * BYE Disconnected for inactivity.
S[0x563d0b51e600]: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready.
C[0x563d0b4e81e0]: 1 login "adminuser" "adminpassword"
S[0x563d0b51e600]: 1 NO [AUTHENTICATIONFAILED] Authentication failed.
C[0x563d0b4e81e0]: 2 LIST "" ""
<hangs here>
S[0x563d0b51e600]: * BYE Disconnected for inactivity.
C: SETACTIVE ""
S[0x563d0b216cf0]: OK "Active script is now deactivated."
C: DELETESCRIPT "sogo"
S[0x563d0b216cf0]: OK "Deletescript completed."

Related Changesets

sogo: master a98b4045

2022-02-17 15:09

francis


Details Diff
fix(imap): use proxy authentication to detect IMAP delimiter

Fixes 0005479
Affected Issues
0005479
mod - SoObjects/SOGo/SOGoSieveManager.m Diff File

Issue History

Date Modified Username Field Change
2022-02-09 08:21 rschuetz New Issue
2022-02-11 19:34 francis Note Added: 0015856
2022-02-11 19:53 rschuetz Note Added: 0015857
2022-02-11 20:39 francis Assigned To => francis
2022-02-11 20:39 francis Status new => closed
2022-02-11 20:39 francis Resolution open => no change required
2022-02-11 20:39 francis Note Added: 0015858
2022-02-11 21:48 rschuetz Status closed => feedback
2022-02-11 21:48 rschuetz Resolution no change required => reopened
2022-02-11 21:48 rschuetz Note Added: 0015859
2022-02-15 18:19 francis Note Added: 0015868
2022-02-16 09:01 rschuetz Note Added: 0015875
2022-02-16 09:01 rschuetz Status feedback => assigned
2022-02-17 15:12 francis Changeset attached => sogo master a98b4045
2022-02-17 15:12 francis Resolution reopened => fixed
2022-02-17 15:12 francis Status assigned => resolved
2022-02-17 15:12 francis Fixed in Version => 5.6.0