Author Topic: auth retries roundcube -> imap with wrong password  (Read 389 times)

Offline _Lars_

  • Newbie
  • *
  • Posts: 3
auth retries roundcube -> imap with wrong password
« on: August 23, 2020, 12:17:11 PM »
[debian "buster" // dovecot-core 2.3.4.1-5+deb10u3 // roundcube 1.4.8+dfsg.1-1~bpo10+1 from buster-backports]

Dovecot is setup to authenticate against the local Active Directory which is configured to lock an account after five authentication failures.

Issue:
When someone tries to login into roundcube with a wrong password then roundcube doesn't come back for a while and after that the AD account is locked.
So I sniffed the IMAP connection and after hitting "Login" and while the login screen says "loading" I see more than five IMAP login attempts:

Code: [Select]
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0001 AUTHENTICATE PLAIN ##########
A0001 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0006 AUTHENTICATE PLAIN ##########
A0006 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]

Maybe it's me and the way I'm searching but I don't find anything related to this issue. Where can I adjust the authentication behaviour of roundcube, especially if a wrong Password is typed in?

thanks
Lars

Offline alec

  • Hero Member
  • *****
  • Posts: 1,207
Re: auth retries roundcube -> imap with wrong password
« Reply #1 on: August 23, 2020, 12:32:29 PM »
This is not normal, do you have any plugins enabled?

Offline _Lars_

  • Newbie
  • *
  • Posts: 3
Re: auth retries roundcube -> imap with wrong password
« Reply #2 on: August 23, 2020, 03:54:29 PM »
At the moment there is only 'managesieve" active but this problem occured before.

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,487
Re: auth retries roundcube -> imap with wrong password
« Reply #3 on: August 23, 2020, 04:41:04 PM »
The retries are a Debian package specific issue. They include a bad patch. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960302.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline _Lars_

  • Newbie
  • *
  • Posts: 3
Re: auth retries roundcube -> imap with wrong password
« Reply #4 on: August 24, 2020, 11:04:40 AM »
Thanks for pointing me in the right direction. The initial patch introduced in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947320 is indeed ugly.
I'm not sure why it is a good idea to hammer a bad responding IMAP server with more login attempts.  >:(