Your message dated Mon, 13 Oct 2025 18:17:43 +0000
with message-id <[email protected]>
and subject line Bug#1115964: fixed in dovecot 1:2.4.1+dfsg1-6+deb13u1
has caused the Debian Bug report #1115964,
regarding auth_cache_size=10M allows auth bypass?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115964: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115964
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dovecot-core
Version: 1:2.4.1+dfsg1-6
Severity: important
While porting a dovecot 2.3 config to 2.4,
I noticed that if I logged in as two different users,
both got the mailbox of the first user to log in.
This problem does not occur with
"doveadm exec imap -u alice" and
"doveadm exec imap -u bob".
Attached are transcripts demonstrating the problem.
This is a sufficient /etc/dovecot/dovecot.conf to trigger the problem:
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
auth_cache_size = 10M
I mentioned this issue informally to upstream in IRC.
I am creating this ticket so there's a formal record as well.
(Otherwise, I will definitely forget about it.)
I think but am not 100% sure that:
* upstream dovecot 2.4.1 defaults DO NOT TRIGGER this problem
* debian dovecot 2.4.1 defaults DO NOT TRIGGER this problem
* if site-local config has triggered this problem,
this should fix the immediate problem:
1. comment out all auth_cache_* settings
2. restart dovecot
* Debian 12 / dovecot-core=1:2.3.19.1+dfsg1-2.1+deb12u1 DOES NOT TRIGGER this
problem (even if auth_cache_* is enabled there).
See also:
https://doc.dovecot.org/2.3/configuration_manual/performance_tuning/
https://doc.dovecot.org/2.3/configuration_manual/authentication/caching/
https://doc.dovecot.org/2.4.1/core/config/auth/caching.html
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=bob
userdb user: bob
userdb extra fields:
system_groups_user=bob
uid=1005
home=/home/bob
gid=1005
auth_mech=PLAIN
# doveadm auth login clara REDACTED
passdb: clara auth failed
extra fields:
user=clara
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
#
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
auth_cache_size = 10M
dovecot_storage_version = 2.4.1
passdb pam {
}
userdb passwd {
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=alice
original_user=bob
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
auth_user=bob
# doveadm auth login clara REDACTED
passdb: clara auth succeeded
extra fields:
user=alice
original_user=clara
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
auth_mech=PLAIN
auth_user=clara
# doveadm auth lookup alice bob clara
passdb: alice
user : alice
passdb: bob
user : alice
passdb: clara
user : alice
#
# getent passwd alice bob clara
alice:x:1004:1004:Alice Smith:/home/alice:/bin/bash
bob:x:1005:1005:Bob Smith:/home/bob:/bin/bash
# doveconf -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.43+deb13-cloud-amd64 x86_64 Debian 13.1
# Hostname: spicy
dovecot_config_version = 2.4.1
auth_cache_size = 10M
dovecot_storage_version = 2.4.1
passdb pam {
fields {
some_arbitrary_key_name:default = %{user}
}
}
userdb passwd {
fields {
some_other_arbitrary_key_name:default = %{user}
}
}
# systemctl restart dovecot
# doveadm auth lookup alice bob clara
Error: cmd auth lookup: passdb lookup failed for alice: Configured passdbs
don't support credentials lookups
Error: cmd auth lookup: passdb lookup failed for bob: Configured passdbs don't
support credentials lookups
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
# doveadm auth login alice REDACTED
passdb: alice auth succeeded
extra fields:
user=alice
some_arbitrary_key_name=alice
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
some_other_arbitrary_key_name=alice
auth_mech=PLAIN
# doveadm auth login bob REDACTED
passdb: bob auth succeeded
extra fields:
user=bob
some_arbitrary_key_name=bob
userdb user: alice
userdb extra fields:
system_groups_user=alice
uid=1004
home=/home/alice
gid=1004
some_other_arbitrary_key_name=alice
auth_mech=PLAIN
auth_user=bob
# doveadm auth login clara REDACTED
passdb: clara auth failed
extra fields:
user=clara
# doveadm auth lookup alice bob clara
passdb: alice
user : alice
some_arbitrary_key_name: alice
passdb: bob
user : bob
some_arbitrary_key_name: bob
Error: cmd auth lookup: passdb lookup failed for clara: Configured passdbs
don't support credentials lookups
#
--- End Message ---
--- Begin Message ---
Source: dovecot
Source-Version: 1:2.4.1+dfsg1-6+deb13u1
Done: Noah Meyerhans <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noah Meyerhans <[email protected]> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Sep 2025 09:14:50 -0400
Source: dovecot
Architecture: source
Version: 1:2.4.1+dfsg1-6+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Dovecot Maintainers <[email protected]>
Changed-By: Noah Meyerhans <[email protected]>
Closes: 1115964
Changes:
dovecot (1:2.4.1+dfsg1-6+deb13u1) trixie-security; urgency=high
.
* Import upstream fix for an issue with authentication cache management that
could result in users being logged in as the wrong user in certain
configurations. (Closes: #1115964)
Checksums-Sha1:
2247d3fc30988738b88becbbf061a38e5a2ea554 3999 dovecot_2.4.1+dfsg1-6+deb13u1.dsc
8e77ad562b9c68eede3f754b9221f3b63049f22a 1747776
dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz
57d636590614e788cbf6ab4e8b0620a43c88e6a3 6288223
dovecot_2.4.1+dfsg1.orig.tar.gz
0248e6ae94127c092654f175dd9677f55ab7e7c5 228
dovecot_2.4.1+dfsg1.orig.tar.gz.asc
3c02fc91d5670b769f49090079f15d1187b651a4 84408
dovecot_2.4.1+dfsg1-6+deb13u1.debian.tar.xz
73662d3c032baed4ed394eba3586b02c496635f6 7433
dovecot_2.4.1+dfsg1-6+deb13u1_source.buildinfo
Checksums-Sha256:
dc83308d3d4b0160d03e8615b57873ea37a7da54cb4f9382e46cfdab7fe7d3ea 3999
dovecot_2.4.1+dfsg1-6+deb13u1.dsc
b014beb38600aad6b6b91ef5be5bedb353650dbf38c247b00eef95a5385dc1fb 1747776
dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz
fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00 6288223
dovecot_2.4.1+dfsg1.orig.tar.gz
ce2cd608c0362f10c89b0ec12ad79488c8c54e799375cd4a87c00baf666d7aca 228
dovecot_2.4.1+dfsg1.orig.tar.gz.asc
26f8fed4dc8dc8985b38012c9193aa9d4e90d866953728adba4a1230bd3db225 84408
dovecot_2.4.1+dfsg1-6+deb13u1.debian.tar.xz
0a44dd3038b3b1c84082e290f5e47380527fb771d9c0815a03a45d02df9ca638 7433
dovecot_2.4.1+dfsg1-6+deb13u1_source.buildinfo
Files:
8c8cac008bb1ac7943989ca53bf800b4 3999 mail optional
dovecot_2.4.1+dfsg1-6+deb13u1.dsc
5bbce59f692abe9bc8f5706b2e86c298 1747776 mail optional
dovecot_2.4.1+dfsg1.orig-pigeonhole.tar.gz
59e513ee4ee4a10ebfb3e0ac7c508e70 6288223 mail optional
dovecot_2.4.1+dfsg1.orig.tar.gz
f9a5e9ae70244f750d40e0a867a9ddc6 228 mail optional
dovecot_2.4.1+dfsg1.orig.tar.gz.asc
a964dc3e443bfa69da9ae8dccef41a9e 84408 mail optional
dovecot_2.4.1+dfsg1-6+deb13u1.debian.tar.xz
9c2474db97499c09b45a3d65cfbaae14 7433 mail optional
dovecot_2.4.1+dfsg1-6+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmjaddsRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTVKNA//eu2IJAFZ7PP38zznR1KZPXqtuziQQVxb
wotMoH/7szHiK1UAhv42A0yxaKLF5LSys90PYFVllrYUWhRsQuWgoAeDMhekznVA
R7aCjPGBPpuk4CNj+fAJ9fInfctbPXe8kU3DplBXsDGv+ZTnnBzQ1ncz5kBtzLUQ
8e472V9lzfDQw+g8y3vA1CjbHsKPStsuejwwFMRsGNYUIzi1G44Gpvj6T6v7LSZM
X9j1Esj+0aV8rR+dZ+Rfhk8CSMe5Mk8+NEa/X9bBv/MNj4pLnUoTYvdXqbAMg8C4
HacN6k9rzYPR3YMrQDT7FEL034NHm/qQUFIbQzGY+U4XTyCmIq9Wfd4GdAEftxMH
o0OeZDCwLWvyQ7Fw4KA6L9Fbjjid5UIMWltTUM+MLeJxvxcvce9xlHTY0Nj09eIY
+ER/SmL+MKxk54Yo9va3rOwuqKovLL9uxeEjAEGNFPO4N4Wz3NEqJ/AK2chvl3wX
ew5nrVZOU23KLP1gy2+FJy5nV8ph5ZKAYgdIDb+r2q54lfDi/Dz7WytwbHeqWB2u
GjxXHisLtvaahjzZxNcamLZJ2N3jZEMGqshk4vj2o/Mwg29V7ehl591n3s+QqzJT
JYlvOav461riGrXWDNl5f3cVP/62MO2ZI3txYDtprxbjuAVyOdo9Ll/nZbDlO2n9
fWwUDHpKJcA=
=6I6I
-----END PGP SIGNATURE-----
pgpSAcG0kJDXb.pgp
Description: PGP signature
--- End Message ---
