search

nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP
https://apps.nextcloud.com/apps/user_external
108 stars 64 forks source link

IMAP backend doesn't work with empty mailbox #154

Closed it-management closed 1 year ago

it-management commented 4 years ago

Steps to reproduce

  1. Configure IMAP backend
  2. Create new IMAP user
  3. Try to login to NC

Expected behaviour

Login to NC

Actual behaviour

"Wrong username or password" message is shown. But in IMAPS server log I can see a successful login! After sending at least one e-mail to the newly created mailbox, login works as expected. After deleting e-mail, user is unable to login again.

Affected Authentication backend

IMAP only

Server configuration

User External App version: 0.10.0

Operating system: CentOS7

Web server: Apache 2.4.6

Database: MariaDB 5.5

PHP version: PHP 7.3.9

Nextcloud version: 18.0.7

Updated from an older Nextcloud/ownCloud or fresh install: fresh

Where did you install Nextcloud from:

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.4.0 - activity: 2.11.0 - calendar: 2.0.3 - cloud_federation_api: 1.1.0 - comments: 1.8.0 - contacts: 3.3.0 - dav: 1.14.0 - federatedfilesharing: 1.8.0 - federation: 1.8.0 - files: 1.13.1 - files_pdfviewer: 1.7.0 - files_rightclick: 0.15.2 - files_sharing: 1.10.1 - files_trashbin: 1.8.0 - files_versions: 1.11.0 - files_videoplayer: 1.7.0 - firstrunwizard: 2.7.0 - groupfolders: 6.0.6 - logreader: 2.3.0 - lookup_server_connector: 1.6.0 - mail: 1.4.1 - nextcloud_announcements: 1.7.0 - notifications: 2.6.0 - oauth2: 1.6.0 - password_policy: 1.8.0 - photos: 1.0.0 - privacy: 1.2.0 - provisioning_api: 1.8.0 - recommendations: 0.6.0 - serverinfo: 1.8.0 - settings: 1.0.0 - sharebymail: 1.8.0 - support: 1.1.1 - survey_client: 1.6.0 - systemtags: 1.8.0 - text: 2.0.0 - theming: 1.9.0 - twofactor_backupcodes: 1.7.0 - twofactor_nextcloud_notification: 2.3.0 - twofactor_totp: 4.1.3 - updatenotification: 1.8.0 - user_external: 0.10.0 - viewer: 1.2.0 - workflowengine: 2.0.0 Disabled: - admin_audit - encryption - files_external - user_ldap ```

Nextcloud configuration:

Config report ``` { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nc.example.com" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "18.0.7.1", "overwrite.cli.url": "http:\/\/localhost", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "default_locale": "cs_CZ", "logfile": "\/mnt\/data\/nextcloud\/log\/nextcloud.log", "log_rotate_size": 0, "logtimezone": "Europe\/Prague", "skeletondirectory": "\/var\/www\/nextcloud.local\/skeleton", "apps_paths": [ { "path": "\/var\/www\/nextcloud\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/nextcloud\/apps.local", "url": "\/apps.local", "writable": true } ], "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": "0", "dbindex": "1", "password": "***REMOVED SENSITIVE VALUE***", "timeout": "1.5" }, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.distributed": "\\OC\\Memcache\\Redis", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mysql.utf8mb4": true, "data-fingerprint": "e57489a8e8673388fc3d8b621ddeabfe", "theme": "", "loglevel": 2, "updater.release.channel": "stable", "user_backends": [ { "class": "OC_User_IMAP", "arguments": [ "imap.example.com", 993, "ssl", "example.com", true, true ] } ] } } ```

Logs

Web server error log

Web server error log ``` No errors in web server log ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"XyQeMuc7w8DuQ2wnmSdtKAAAAAo","level":3,"time":"2020-07-31T15:35:48+02:00","remoteAddr":"XXX.XXX.XXX.XXX","user":"--","app":"user_external","method":"POST","url":"/index.php/login","m essage":"ERROR: Could not connect to imap server via curl: ","userAgent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","ve rsion":"18.0.7.1"} {"reqId":"XyQeMuc7w8DuQ2wnmSdtKAAAAAo","level":2,"time":"2020-07-31T15:35:48+02:00","remoteAddr":"XXX.XXX.XXX.XXX","user":"--","app":"no app in context","method":"POST","url":"/index.php/login ","message":"Login failed: john.doe@example.com (Remote IP: XXX.XXX.XXX.XXX)","userAgent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.8 9 Safari/537.36","version":"18.0.7.1"} ```

IMAP server (Dovecot) log from the same time

Dovecot log ``` Jul 31 15:35:48 nc.example.com dovecot[281401]: imap-login: Login: user=, method=LOGIN, rip=::1, lip=::1, mpid=282462, TLS, session= Jul 31 15:35:48 nc.example.com dovecot[281401]: imap(john.doe): Logged out in=46 out=831 ```

Browser log

Browser log ``` No errors in browser log```
violoncelloCH commented 4 years ago

mmm what status code does the IMAP server return in this case? does a comparable curl request from command line exit successfully (which exit code?) ?

it-management commented 4 years ago

If I use curl from command line curl -v 'imaps://user:password@imap.example.com/', I get for no message INBOX this:

* About to connect() to imap.example.com port 993 (#0)
*   Trying XXX...
* Connected to imap.example.com (XXX) port 993 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=mail.example.com
*   start date: Aug 12 01:00:00 2020 GMT
*   expire date: Nov 10 01:00:00 2020 GMT
*   common name: mail.example.com
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
> B CAPABILITY
< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
< B OK Pre-login capabilities listed, post-login capabilities have more.
> C AUTHENTICATE LOGIN
< + XXX
> XXX
< + XXX
> XXX
< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY SPECIAL-USE ACL RIGHTS=texk
< C OK Logged in
> D SELECT INBOX
< * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
< * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
< * 0 EXISTS
< * 0 RECENT
< * OK [UIDVALIDITY 1516291293] UIDs valid
< * OK [UIDNEXT 4] Predicted next UID
< * OK [HIGHESTMODSEQ 10] Highest
< D OK [READ-WRITE] Select completed (0.003 + 0.000 + 0.006 secs).
> A FETCH 1 BODY[TEXT]
< A BAD Error in IMAP command FETCH: Invalid messageset (0.001 + 0.000 secs).
* Connection #0 to host imap.example.com left intact

If there is at least one email:

* About to connect() to imap.example.com port 993 (#0)
*   Trying XXX...
* Connected to imap.example.com (XXX) port 993 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=mail.example.com
*   start date: Aug 12 01:00:00 2020 GMT
*   expire date: Nov 10 01:00:00 2020 GMT
*   common name: mail.example.com
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
> B CAPABILITY
< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
< B OK Pre-login capabilities listed, post-login capabilities have more.
> C AUTHENTICATE LOGIN
< + XXX
> XXX
< + XXX
> XXX
< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY SPECIAL-USE ACL RIGHTS=texk
< C OK Logged in
> D SELECT INBOX
< * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
< * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
< * 1 EXISTS
< * 0 RECENT
< * OK [UIDVALIDITY 1516291293] UIDs valid
< * OK [UIDNEXT 4] Predicted next UID
< * OK [HIGHESTMODSEQ 9] Highest
< D OK [READ-WRITE] Select completed (0.001 + 0.000 + 0.002 secs).
> A FETCH 1 BODY[TEXT]
< * 1 FETCH (BODY[TEXT] {5}
* Found 5 bytes to download
aaa
* Filesize left: 0
* Connection #0 to host imap.example.com left intact

In both cases return code is 0.

violoncelloCH commented 3 years ago

interesting I could imagine this to be related to the parameter added in #147 can you try if removing that line changes something?

violoncelloCH commented 3 years ago

@it-management could you check if #164 fixes this issue?

mtippmann commented 2 years ago

@it-management could you check if #164 fixes this issue?

curl https://patch-diff.githubusercontent.com/raw/nextcloud/user_external/pull/164.patch | patch -p1

applies but the error is still there - tested with nc 21.0.4 and user_external 2.0.0