On Tue, Aug 3, 2010 at 10:31 AM, C. Bensend <benny@xxxxxxxxxxxxxxx> wrote: > > Hey folks, > > I am chasing a vicious problem that appeared when I upgraded my > OpenBSD mail server yesterday. I upgraded to the most recent CURRENT > snapshot of both the OS and packages. > > During this upgrade, PHP, dovecot, and Postfix all got updates. I > did *NOT* touch Squirrelmail, it remains 1.4.20. > > However, I now get seemingly random authentication failures, as > I leave my browser logged into Squirrelmail during the day. Several > times an hour, it will kick me to the username/password failure > page as the web site refreshes (or as I click on links). > > I've already spoken with the OpenBSD dovecot package maintainer, > he has not heard of similar issues, and he uses 1.2.13 heavily. I > also swung by the dovecot list, to be reminded of the auth_debug > and auth_verbose configuration options, which I have enabled. And > now I see the problem: > > Aug 3 12:15:23 fusion dovecot: auth(default): client in: AUTH 1 > PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 > lport=143 rport=10068 resp=<hidden> > Aug 3 12:15:23 fusion dovecot: auth(default): bsdauth(benny,127.0.0.1): > lookup > Aug 3 12:15:23 fusion dovecot: auth(default): bsdauth(benny,127.0.0.1): > password mismatch > Aug 3 12:15:24 fusion dovecot: auth(default): new auth connection: pid=9575 > Aug 3 12:15:25 fusion dovecot: auth(default): client out: FAIL 1 > user=benny > Aug 3 12:15:30 fusion dovecot: imap-login: Aborted login (auth failed, 1 > attempts): user=<benny>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, > secured The only time I've seen this is during login; the first login/auth works, but after being redirected to the webmail.php page, the password is blank and auth fails. That's usually a session or cookie problem, but if it's not happening during login, then both those mechanisms seem to be working. All I can guess is that the cookies are expiring well before they should. It might be instructive if you actually increase verbosity enough to see the password being sent. It could also help to match your HTTP logs to the failed requests in case there is anything interesting about those. > Note the "password mismatch" - that's interesting, as Squirrelmail > should be providing that and I haven't changed it. So, is there any > reason Squirrelmail would suddenly start *intermittently* providing > the wrong credentials to dovecot? Anything PHP-related? Sessions? If you can roll back those packages, I'd suggest doing so until it works again, then upgrading one at a time. > I don't use any sort of IMAP proxy, so there should be nothing between > Squirrelmail and dovecot getting in the way. > > Versions are as follows: > > Apache 1.3.29 (OpenBSD's modified version) > PHP 5.2.13 > dovecot 1.2.13 > > The system's php.ini was not changed during this upgrade, and this > configuration with slightly older software has been working > flawlessly for months. > > I would GREATLY appreciate any help! Please ask if there's further > information needed. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users