Skip to content

Identity Provider (LDAP): Wrong auth via App-PW is forwarded to LDAP even if only App-PWs are allowed #6513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
5 tasks done
jr3001 opened this issue May 6, 2025 · 0 comments
Open
5 tasks done

Identity Provider (LDAP): Wrong auth via App-PW is forwarded to LDAP even if only App-PWs are allowed #6513

jr3001 opened this issue May 6, 2025 · 0 comments
Labels
bug

Comments

@jr3001
Copy link

jr3001 commented May 6, 2025

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hello,

I came across the fact that the Mailcow Identity Provider implementation does not take into account the scenario in which a user's login (IMAP, Sieve, SMTP and co.) is only allowed via App-Pws.

So there is a user who is subject to the identity provider “LDAP”. This user has no permitted protocols for direct access in mailcow. If an auth is now performed (presumably, not further limited without a valid app PW/local PW), this is fired against the LDAP. Thunderbird likes to do this 3-4 times and the LDAP user is then blocked due to bruteforcing.

Logs:

php-fpm-mailcow-1    | 2025-05-06T08:02:40.152903961Z [06-May-2025 10:02:40] WARNING: [pool system-worker] child 327182 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:40.154846260Z May  6 10:02:40 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:40.154870706Z May  6 10:02:40 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648392>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
php-fpm-mailcow-1    | 2025-05-06T08:02:40.438108570Z [06-May-2025 10:02:40] WARNING: [pool system-worker] child 379961 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:40.439822661Z May  6 10:02:40 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:40.439850955Z May  6 10:02:40 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648393>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
php-fpm-mailcow-1    | 2025-05-06T08:02:46.744402839Z [06-May-2025 10:02:46] WARNING: [pool system-worker] child 307293 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:46.746334031Z May  6 10:02:46 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:46.746371475Z May  6 10:02:46 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648394>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
php-fpm-mailcow-1    | 2025-05-06T08:02:47.119162172Z [06-May-2025 10:02:47] WARNING: [pool system-worker] child 318217 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:47.121040685Z May  6 10:02:47 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:47.121175771Z May  6 10:02:47 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648395>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
sogo-mailcow-1       | 2025-05-06T08:02:53.015079437Z May  6 10:02:53 0a385d00519c sogod[9:60] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'ou=users,dc=mgpv,dc=net' filter '([email protected])' for attrs '*'
php-fpm-mailcow-1    | 2025-05-06T08:02:53.582373822Z [06-May-2025 10:02:53] WARNING: [pool system-worker] child 327182 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:53.584856861Z May  6 10:02:53 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:53.585322614Z May  6 10:02:53 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648412>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
php-fpm-mailcow-1    | 2025-05-06T08:02:54.040676213Z [06-May-2025 10:02:54] WARNING: [pool system-worker] child 379961 said into stderr: "NOTICE: PHP message: MAILCOWAUTH: Login failed for user [email protected]"
dovecot-mailcow-1    | 2025-05-06T08:02:54.042410819Z May  6 10:02:54 498cdd4af2aa dovecot: auth-worker(2084): HTTP request failed with 401 for user [email protected]
dovecot-mailcow-1    | 2025-05-06T08:02:54.042767037Z May  6 10:02:54 498cdd4af2aa dovecot: auth-worker(2084): Error: conn unix:auth-worker (pid=170,uid=401): auth-worker<1648413>: lua([email protected],10.1.81.13,<nw9ZCnM0+IYKAVEN>): passdb-lua: Upstream error
dovecot-mailcow-1    | 2025-05-06T08:02:56.069782378Z May  6 10:02:56 498cdd4af2aa dovecot: imap-login: Disconnected: Connection closed (auth service reported temporary failure): user=<[email protected]>, method=PLAIN, rip=10.1.81.13, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

Steps to reproduce:

1. connect an identity provider (type: ldap)
2. make sure to have a mailbox connected to it
3. make sure that all "Allowed protocols for direct user access" are unselected
4. Create an app-password for the user
5. Login using a random password

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

28.0.4

docker-compose version or docker compose version:

v2.34.0

mailcow version:

2025-03b

Reverse proxy:

None internally (nginx of mailcow itself), externally apache2

Logs of git diff:

-

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  19M 4805M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
  58M   18G DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  58M   18G DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:3306
  759 42632 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
65075 3900K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
50136 2978K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
  250 13440 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
 781K   47M ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
12169  732K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:443
    1    60 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 910K   55M DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  27M 8146M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  58M   18G DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  31M 9977M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  31M 9977M DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  30M 9922M ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  30M 9922M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  58M   18G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3604  216K DROP       0    --  *      *       45.146.130.98        0.0.0.0/0           
 4120  247K DROP       0    --  *      *       193.46.255.40        0.0.0.0/0           
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
    0     0 DOCKER-USER  0    --  *      *       ::/0                 ::/0                
    0     0 DOCKER-FORWARD  0    --  *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::6  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::6  tcp dpt:80
    0     0 DROP       0    --  !br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 DROP       0    --  !docker0 docker0  ::/0                 ::/0                

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-CT  0    --  *      *       ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0                
    0     0 DOCKER-BRIDGE  0    --  *      *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  br-mailcow *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       ::/0                 ::/0                

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 962K   58M DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
38070 2284K DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
2165K  149M MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    3   180 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    1    60 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.5:80
50239 3016K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.5:443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:143 to:172.22.1.250:143
 781K   47M DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:995 to:172.22.1.250:995
  250 13440 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
50138 2978K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
 118K 7054K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
  763 42872 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.11:3306

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0                
    0     0 MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0                
    0     0 RETURN     0    --  br-mailcow *       ::/0                 ::/0                
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::6]:80
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::6]:443
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::9]:993
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::9]:4190
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::d]:25
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::d]:465
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::d]:587

DNS check:

-
@jr3001 jr3001 added the bug label May 6, 2025
@jr3001 jr3001 changed the title Identity Provider (LDAP): Wrong auth via App-PW is forwarded to LDAP even when only App-PWs are allowed Identity Provider (LDAP): Wrong auth via App-PW is forwarded to LDAP even if only App-PWs are allowed May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jr3001