Your message dated Mon, 22 Sep 2025 18:04:57 +0000
with message-id <[email protected]>
and subject line Bug#1115474: fixed in dovecot 1:2.4.1+dfsg1-7
has caused the Debian Bug report #1115474,
regarding auth_cache_size=10M allows auth bypass?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115474
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dovecot-core
Version: 1:2.4.1+dfsg1-6
Severity: important
While porting a dovecot 2.3 config to 2.4,
I noticed that if I logged in as two different users,
both got the mailbox of the first user to log in.
This problem does not occur with
"doveadm exec imap -u alice" and
"doveadm exec imap -u bob".
Attached are transcripts demonstrating the problem.
This is a sufficient /etc/dovecot/dovecot.conf to trigger the problem:
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
auth_cache_size = 10M
I mentioned this issue informally to upstream in IRC.
I am creating this ticket so there's a formal record as well.
(Otherwise, I will definitely forget about it.)
I think but am not 100% sure that:
* upstream dovecot 2.4.1 defaults DO NOT TRIGGER this problem
* debian dovecot 2.4.1 defaults DO NOT TRIGGER this problem
* if site-local config has triggered this problem,
this should fix the immediate problem:
1. comment out all auth_cache_* settings
2. restart dovecot
* Debian 12 / dovecot-core=1:2.3.19.1+dfsg1-2.1+deb12u1 DOES NOT TRIGGER this
problem (even if auth_cache_* is enabled there).
See also:
https://doc.dovecot.org/2.3/configuration_manual/performance_tuning/
https://doc.dovecot.org/2.3/configuration_manual/authentication/caching/
https://doc.dovecot.org/2.4.1/core/config/auth/caching.html
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=bob
userdb user: bob
userdb extra fields:
system_groups_user=bob
uid=1005
home=/home/bob
gid=1005
auth_mech=PLAIN
# doveadm auth login clara REDACTED
passdb: clara auth failed
extra fields:
user=clara
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
#
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
auth_cache_size = 10M
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=alice
original_user=bob
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
auth_user=bob
# doveadm auth login clara REDACTED
passdb: clara auth succeeded
extra fields:
user=alice
original_user=clara
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
auth_user=clara
# doveadm auth lookup alice bob clara
passdb: alice
user : alice
passdb: bob
user : alice
passdb: clara
user : alice
#
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
auth_cache_size = 10M
dovecot_storage_version = 2.4.1
passdb pam {
fields {
some_arbitrary_key_name:default = %{user}
}
}
userdb passwd {
fields {
some_other_arbitrary_key_name:default = %{user}
}
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
some_arbitrary_key_name=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
some_other_arbitrary_key_name=alice
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=bob
some_arbitrary_key_name=bob
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
some_other_arbitrary_key_name=alice
auth_mech=PLAIN
auth_user=bob
# doveadm auth login clara REDACTED
passdb: clara auth failed
extra fields:
user=clara
# doveadm auth lookup alice bob clara
passdb: alice
user : alice
some_arbitrary_key_name: alice
passdb: bob
user : bob
some_arbitrary_key_name: bob
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
#
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.4.1+dfsg1-7
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Sep 2025 12:53:14 -0400
Source: dovecot
Architecture: source
Version: 1:2.4.1+dfsg1-7
Distribution: unstable
Urgency: medium
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 1111469 1112667 1115474
Changes:
dovecot (1:2.4.1+dfsg1-7) unstable; urgency=medium
.
* [ebfdfa6] [PATCH] auth: Use AUTH_CACHE_KEY_USER instead of
per-database constants (Closes: #1115474)
* [4a9e872] Clean up a few typos in default/example config (Closes: #1112667)
* [db01b1f] Ensure default lmtpd auth_username_format matches the global
value
(Closes: #1111469)
Checksums-Sha1:
4420503dae90b9575d22bce4fb5fb38fce25f5f3 3967 dovecot_2.4.1+dfsg1-7.dsc
870c0051ddd9a46594ab0376e43269c358b1aa9d 84456
dovecot_2.4.1+dfsg1-7.debian.tar.xz
47a029b137e132e57c618d74826778aaef68d43e 7401
dovecot_2.4.1+dfsg1-7_source.buildinfo
Checksums-Sha256:
b5ebadbaab05b06673b2f94e133a2b6c1158824bd95a51bda511d33ff19a3c49 3967
dovecot_2.4.1+dfsg1-7.dsc
d339e66eb8a51f51d990604cc3ac6ac9a3ab6f21b02b742b96d12bb535c7c920 84456
dovecot_2.4.1+dfsg1-7.debian.tar.xz
3dcf524dd10b46abe5838006d5e5496738ce9c3aaf19d44206ea92114dae1bac 7401
dovecot_2.4.1+dfsg1-7_source.buildinfo
Files:
e180fe7f94df4505c48ad28c5060f270 3967 mail optional dovecot_2.4.1+dfsg1-7.dsc
c30af0bf129ffc9d861f65b533b3329a 84456 mail optional
dovecot_2.4.1+dfsg1-7.debian.tar.xz
847f9bb13c71e22823a7caec3c68f994 7401 mail optional
dovecot_2.4.1+dfsg1-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmjRh6URHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTUKMg//QXWSiSG1B+6vZ7Eml8mmI/pP/8EtyPDI
uLeSMtgI9Pbek2SiHDqlVadckjjkltEEeJP1oapilydtfjRHUnkhrmNW0EkoOh4m
z4rMRkPNKC/uD1sR5k4Qkxpy0KGMJwQ3ARGaEyTausNaorLTiOdUrNSUXqVGwMpC
do4cuk3BBoS2+mDFvicn0foFntVuQBpx2fL98C9FlKUykd8Xz3aAHQjcAfoKssqi
HuqNWW1GXxcS0Zz7WDF1Vq+eCm1aabRLFET186DJQMLUBFLpR/6nWvewXZFRza0c
pRiPPL31HdF13y6a4x0MagZNmFTufOcXagpNh0xIUQGANFIq3IdoAXpoYwk8GxHs
JVAP5Z0RsmzKasYepvqLhmlYL3T5leYFq2cu80F+djH2ed1PF7KC9sCtopKwCKTW
3ERiKfqTEu9MNTS5lPkHtRn7j7gr1t9ATXzKMqyvNZbVf3KrOtLzcwxp6h1twAel
GNToHfM2FtAUjT5xRlC76A7cLwbmVZyOfoKPniO3bNCR9UfY7PdxFsI9s5tNPrdq
WBN6USxArx/dAW2krFE00Qm8cifZckm4j/UZBorI9bJz7Dpl4VVdTZhU2hdMd7I8
MWKEqspy3ZWRTS6OYx07fg9HxMa2n0C+oKr6UIhdafIRAc0DBmOh8ZKKsOXR6D5J
HcsDqn6ZqEY=
=7nLo
-----END PGP SIGNATURE-----
pgpJCvdKOxKWB.pgp
Description: PGP signature
--- End Message ---
