Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust imap authenticate documentation #332

Merged
merged 2 commits into from
Nov 8, 2022
Merged

Adjust imap authenticate documentation #332

merged 2 commits into from
Nov 8, 2022

Conversation

ichdasich
Copy link

This pull-request updates the default configuration file and the documentation to highlight that NGImap4AuthMechanism = "plain"; should be set to force AUTHENTICATE usage if users' passwords may contain UTF-8 characters like umlauts.

Otherwise, users may update their passwords via SOGo to ones containing an UTF-8 character, which then inadvertedly breaks the mail view, as logging in via LOGIN is no longer possible. Logging into SOGo itself still works, but users are presented with a white page when trying to access the mail view.

Security Side Note: Depending on the setup it seems to be possible to lock up SOGo worker threads using this, ultimately leading to a DoS (as soon as all workers are busy for this user). Specifically, I just had one user on a small (20 worker threads) instance setting a password containing an umlaut. As the user tried to log in multiple times, ultimately all workers were busy with trying to authenticate to the IMAP server. I did not fully debug this, but there might also be some malicious potential in this for some malicious activity.

@WoodySlum
Copy link
Member

Hi @ichdasich thank you for your contribution.

Could you please amend your commit messages according to documentation https://github.com/Alinto/sogo/blob/master/.github/CONTRIBUTING.md ?

@ichdasich
Copy link
Author

Thanks, will take a look; Sorry, this was created in the middle of the night after a rather painfull debugging session, so i do not forget. ;-)

@WoodySlum
Copy link
Member

No problem thanks for your support !

Tobias Fiebig added 2 commits November 8, 2022 13:41
docs(core): add NGImap4AuthMechanism = "plain"; to sample config file
a846ede 
forcing `AUTHENTICATE` using Add NGImap4AuthMechanism = "plain"; is necessary
for setups where users have UTF-8 characters in their password
docs(core): extend documentation for NGImap4AuthMechanism in sogo.conf
14608b1 
update documentation for NGImap4AuthMechanism to highlight that using
`AUTHENTICATE` is necessary to allow users to have UTF-8 characters in their
passwords, i.e., especially 'umlauts'.
@ichdasich ichdasich force-pushed the adjust_imap_authenticate_documentation branch from 6da2d18 to 14608b1 Compare November 8, 2022 12:46
@ichdasich
Copy link
Author

Changed the messages, does this work?

@WoodySlum
Copy link
Member

Nice ! Thank you !

@WoodySlum WoodySlum merged commit 8bfc3e4 into Alinto:master Nov 8, 2022
@ichdasich ichdasich deleted the adjust_imap_authenticate_documentation branch November 8, 2022 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ichdasich @WoodySlum