1

Topic: Roundcube Webmail - Encryption function missing

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Debian 11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I installed new clean version of iRedMail-1.4.2 on fresh installed Debian 11.
After creating the first user, and after the user logged in via Roundcube webmail, user tried to change the password after which the next error occurred: "Could not save new password. Encryption function missing."

On older versions of iRedMail the password change worked after a fresh installation.

Any idea?

Thanks in advance,

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Roundcube Webmail - Encryption function missing

We just finished the installation on Debian 10, all initially set up as on Debian 11, we tested the user password change and the password was changed successfully.

It is evident that the problem occurs due to the difference between the versions of the operating system (Debian 10, and Debian 11).

Do you have any idea?


Best regards,

3

Re: Roundcube Webmail - Encryption function missing

any related logs (mostly php error) from and missing php mod

4

Re: Roundcube Webmail - Encryption function missing

There is no any logs, we can't find any errors.
We compared php modules on both machines (Debian 10 and Debian 11), and they are the same.

[PHP Modules]
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
hash
iconv
intl
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

5 (edited by skipe88 2021-10-18 17:45:18)

Re: Roundcube Webmail - Encryption function missing

We added the following at the end of the file roundcube/config/config.inc.php:

###
// system error reporting, sum of: 1 = log; 4 = show
$config['debug_level'] = 4;

// Log SQL queries
$config['sql_debug'] = true;

// Log IMAP conversation
$config['imap_debug'] = true;

// Log LDAP conversation
$config['ldap_debug'] = true;

// Log SMTP conversation
$config['smtp_debug'] = true;
###

We simulated a password change and inside /var/log/mail.log we got only the following:

Oct 18 05:15:47 mxtest roundcube: <v593amnb> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'v593amnbp9c24ei53rcnjf93qv';
Oct 18 05:15:47 mxtest roundcube: <v593amnb> [2] SELECT * FROM `users` WHERE `user_id` = '2';
Oct 18 05:15:47 mxtest roundcube: <v593amnb> [3] UPDATE `session` SET `changed` = now() WHERE `sess_id` = 'v593amnbp9c24ei53rcnjf93qv';



Note:
The password can be changed regularly through iRedAdmin interface.

6

Re: Roundcube Webmail - Encryption function missing

Does installing package "mcrypt" fix the issue?

7

Re: Roundcube Webmail - Encryption function missing

We installed package "mcrypt" on other (production) server but it didn't work. It was our first option to try to solve this problem.

This forced us to set up two test servers (on one Debian 10, and on the other Debian 11) and to go through the same iRedMail installation process on both servers in order to solve this problem.


We solved the problem in another way.
Inside roundcubemail/plugins/password/config.inc.php we changed:

-----------------------------------------------------------------------------------------------------------------
/////$config['password_algorithm'] = 'clear';
$config['password_algorithm'] = 'ssha512';

/////$config['password_algorithm_prefix'] = '';
$config['password_algorithm_prefix'] = '{SSHA512}';

// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
//      %p is replaced with the plaintext new password
//      %P is replaced with the crypted/hashed new password
//         according to configured password_method
//      %o is replaced with the old (current) password
//      %O is replaced with the crypted/hashed old (current) password
//         according to configured password_method
//      %h is replaced with the imap host (from the session info)
//      %u is replaced with the username (from the session info)
//      %l is replaced with the local part of the username
//         (in case the username is an email address)
//      %d is replaced with the domain part of the username
//         (in case the username is an email address)
// Deprecated macros:
//      %c is replaced with the crypt version of the new password, MD5 if available
//         otherwise DES. More hash function can be enabled using the password_crypt_hash
//         configuration parameter.
//      %D is replaced with the dovecotpw-crypted version of the new password
//      %n is replaced with the hashed version of the new password
//      %q is replaced with the hashed password before the change
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
/////$config['password_query'] = "UPDATE mailbox SET password=%D,passwordlastchange=NOW() WHERE username=%u";
$config['password_query'] = "UPDATE mailbox SET password=%P,passwordlastchange=NOW() WHERE username=%u";
-----------------------------------------------------------------------------------------------------------------

We have seen that there are differences between the versions of Dovecot:
2.3.4.1 (f79e8e7e4) - Debian 10
2.3.13 (89f716dc2) - Debian 11

We assume that this could be the source of this problem. (Maybe you should investigate this in more detail.)

8 (edited by creasit 2021-11-17 18:00:26)

Re: Roundcube Webmail - Encryption function missing

Hello,

I had exact same problem from Debian 10 to 11 upgrade. Your solution is OK for me too, thank you.

Initial setup was on Debian 9 with Iredmail 0.9.7, and by the upgrades we're up-to-date to 1.4.2 , and Roundcube to 1.5.0 before the Debian upgrade.

Maybe something to add in the upgrade page here https://docs.iredmail.org/upgrade.debian.10-11.html

9

Re: Roundcube Webmail - Encryption function missing

Thank you very much, we had the exactly same problem, solved with your "patch".


skipe88 wrote:

We installed package "mcrypt" on other (production) server but it didn't work. It was our first option to try to solve this problem.

This forced us to set up two test servers (on one Debian 10, and on the other Debian 11) and to go through the same iRedMail installation process on both servers in order to solve this problem.


We solved the problem in another way.
Inside roundcubemail/plugins/password/config.inc.php we changed:

-----------------------------------------------------------------------------------------------------------------
/////$config['password_algorithm'] = 'clear';
$config['password_algorithm'] = 'ssha512';

/////$config['password_algorithm_prefix'] = '';
$config['password_algorithm_prefix'] = '{SSHA512}';

// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
//      %p is replaced with the plaintext new password
//      %P is replaced with the crypted/hashed new password
//         according to configured password_method
//      %o is replaced with the old (current) password
//      %O is replaced with the crypted/hashed old (current) password
//         according to configured password_method
//      %h is replaced with the imap host (from the session info)
//      %u is replaced with the username (from the session info)
//      %l is replaced with the local part of the username
//         (in case the username is an email address)
//      %d is replaced with the domain part of the username
//         (in case the username is an email address)
// Deprecated macros:
//      %c is replaced with the crypt version of the new password, MD5 if available
//         otherwise DES. More hash function can be enabled using the password_crypt_hash
//         configuration parameter.
//      %D is replaced with the dovecotpw-crypted version of the new password
//      %n is replaced with the hashed version of the new password
//      %q is replaced with the hashed password before the change
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
/////$config['password_query'] = "UPDATE mailbox SET password=%D,passwordlastchange=NOW() WHERE username=%u";
$config['password_query'] = "UPDATE mailbox SET password=%P,passwordlastchange=NOW() WHERE username=%u";
-----------------------------------------------------------------------------------------------------------------

We have seen that there are differences between the versions of Dovecot:
2.3.4.1 (f79e8e7e4) - Debian 10
2.3.13 (89f716dc2) - Debian 11

We assume that this could be the source of this problem. (Maybe you should investigate this in more detail.)

10

Re: Roundcube Webmail - Encryption function missing

This should be fixed during next roundcube upgrade... the D macro is being replaced by P.

11

Re: Roundcube Webmail - Encryption function missing

The solution is: in plugin/password/config.inc.php, set "password_algorithm" to "dovecot", then replace "%D" by "%P".

12

Re: Roundcube Webmail - Encryption function missing

Helo, I make some tests and problem is simple, but I dont know solution. Problem is in this part of code:

$password = 'ahoj';
$dovecotpw = '/usr/bin/doveadm pw';
$method = 'SSHA512';

$spec = [0 => ['pipe', 'r'], 1 => ['pipe', 'w'], 2 => ['pipe', 'w']];
$pipe = proc_open("$dovecotpw -s '$method'", $spec, $pipes);
            if (!is_resource($pipe)) {
                return false;
            }

            fwrite($pipes[0], $password . "\n", 1+strlen($password));
            usleep(1000);
            fwrite($pipes[0], $password . "\n", 1+strlen($password));

            $crypted = trim(stream_get_contents($pipes[1]), "\n");

            fclose($pipes[0]);
            fclose($pipes[1]);
            proc_close($pipe);

print_r($crypted);

When I run it like root, I got correct result, but in case of unprivileged user I got empty result without any error or warning message - runuser -l www-data -c 'php ./pokus.php'

The same situation is on the web, php is provided over fpm and if I try to debug results, voila - empty.

I hope, that helps for solution.
D

13

Re: Roundcube Webmail - Encryption function missing

why so complicated?


$crypted = exec(escapeshellcmd("/usr/bin/doveadm pw -s 'ssha512' -p " . $pass));

14

Re: Roundcube Webmail - Encryption function missing

Cthulhu wrote:

why so complicated?


$crypted = exec(escapeshellcmd("/usr/bin/doveadm pw -s 'ssha512' -p " . $pass));

Hello, I agree, it was part of password.php in roundcubemail.

15

Re: Roundcube Webmail - Encryption function missing

ZhangHuangbin wrote:

The solution is: in plugin/password/config.inc.php, set "password_algorithm" to "dovecot", then replace "%D" by "%P".

Sorry, this solution is not working, it looks, that main problem is in function proc_open as I reported in this thread today.

16

Re: Roundcube Webmail - Encryption function missing

if this code snippet is not working:

give www-data access to execute /usr/bin/doveadm via visudo

17 (edited by darius1706 2022-01-07 22:09:47)

Re: Roundcube Webmail - Encryption function missing

Cthulhu wrote:

if this code snippet is not working:

give www-data access to execute /usr/bin/doveadm via visudo

I need sleeping, why I didnt try this at the first time - run doveadm from command line as a unprivileged user. And here is result.

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 49: ssl_cert: Can't open file /etc/ssl/certs/iRedMail.crt: Permission denied

18

Re: Roundcube Webmail - Encryption function missing

i dont know why doveadm should even consider reading a ssl cert when only generating a password, but you can for sure get around it:

$crypted = exec(escapeshellcmd("sudo /usr/bin/doveadm pw -s 'ssha512' -p " . $pass));

combined with giveing www-data root priv to run /usr/bin/doveadm, this should bypass the problems

BUT: it opens many possibilites to exploit, if you have webpages hosted that all run under www-data, you give all pages the possibility to run doveadm with root priv!

for that reason, i dun run nginx, i run apache with fcgid as wrapper and give every hosted page an own user/groupid where all php scripts are run under their own encapsulated environment

for myself, i really dont like nginx and the fpm approach, but i also use a very hardened and hardpatched php environment to avoid privilege escalation possibilities and only grant special rights to each user for certain php functions that otherwise could result in many possible php related security issues like basedir escaping or even privilegued shell access via web!

19 (edited by darius1706 2022-01-08 01:03:39)

Re: Roundcube Webmail - Encryption function missing

Cthulhu wrote:

i dont know why doveadm should even consider reading a ssl cert when only generating a password, but you can for sure get around it:

$crypted = exec(escapeshellcmd("sudo /usr/bin/doveadm pw -s 'ssha512' -p " . $pass));

combined with giveing www-data root priv to run /usr/bin/doveadm, this should bypass the problems

BUT: it opens many possibilites to exploit, if you have webpages hosted that all run under www-data, you give all pages the possibility to run doveadm with root priv!

for that reason, i dun run nginx, i run apache with fcgid as wrapper and give every hosted page an own user/groupid where all php scripts are run under their own encapsulated environment

for myself, i really dont like nginx and the fpm approach, but i also use a very hardened and hardpatched php environment to avoid privilege escalation possibilities and only grant special rights to each user for certain php functions that otherwise could result in many possible php related security issues like basedir escaping or even privilegued shell access via web!

Thank you, on servers for company or customers, I have it in similar way. But this is small server for few domains for me and my friends - so its not critical for me and I dont want to spend much time for solution by myself and so I would be rather for official solution because of updates, eg.
I can tell users to change password over iredadmin and disable password plugin in roundcube, but it would be nice to repair it. This is standard iRedmail installation on Debian 11, hope it helps for solution.

20 (edited by darius1706 2022-01-08 01:37:01)

Re: Roundcube Webmail - Encryption function missing

Cthulhu wrote:

i dont know why doveadm should even consider reading a ssl cert when only generating a password, but you can for sure get around it:

$crypted = exec(escapeshellcmd("sudo /usr/bin/doveadm pw -s 'ssha512' -p " . $pass));

combined with giveing www-data root priv to run /usr/bin/doveadm, this should bypass the problems

BUT: it opens many possibilites to exploit, if you have webpages hosted that all run under www-data, you give all pages the possibility to run doveadm with root priv!

for that reason, i dun run nginx, i run apache with fcgid as wrapper and give every hosted page an own user/groupid where all php scripts are run under their own encapsulated environment

for myself, i really dont like nginx and the fpm approach, but i also use a very hardened and hardpatched php environment to avoid privilege escalation possibilities and only grant special rights to each user for certain php functions that otherwise could result in many possible php related security issues like basedir escaping or even privilegued shell access via web!

I finally found main problem, its letsencrypt. iRedMail.crt is linked to letsencrypt directory, which has 700. I am thinking about cron script for copying crt every day and set it correct rights.
Chm, still not working, but already not due crt rights. I am going investigate.

21

Re: Roundcube Webmail - Encryption function missing

The problem is related to dovecot, since it runs with user priv, normally it runs as root but in this case, it gets called by php and thus runs as www-data, but the ssl certs are protected and not readable by www-data

doveadm should not try to read those certs when only generating a password, so this problem is more related to dovecot and/or roundcube (which handles the call to doveadm)

there are several workarounds for sure, it just depends on how you want to handle it

22

Re: Roundcube Webmail - Encryption function missing

Cthulhu wrote:

The problem is related to dovecot, since it runs with user priv, normally it runs as root but in this case, it gets called by php and thus runs as www-data, but the ssl certs are protected and not readable by www-data

doveadm should not try to read those certs when only generating a password, so this problem is more related to dovecot and/or roundcube (which handles the call to doveadm)

there are several workarounds for sure, it just depends on how you want to handle it

Yes, its true. After solution problem with fullchain, there is second problem with private key of dovecot.

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 50: ssl_key: Can't open file /etc/ssl/private/iRedMail.key: Permission denied

There is problem in key rights and in rights of private directory. But I am not so brave open this for all users.

I see two ways:
1. forget for dovecot generated passwords and generate passwords with other way
2. disable changing password over roundcube

Any other ways are security risk.

23

Re: Roundcube Webmail - Encryption function missing

darius1706 wrote:

Yes, its true. After solution problem with fullchain, there is second problem with private key of dovecot.

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 50: ssl_key: Can't open file /etc/ssl/private/iRedMail.key: Permission denied

There is problem in key rights and in rights of private directory. But I am not so brave open this for all users.

I see two ways:
1. forget for dovecot generated passwords and generate passwords with other way
2. disable changing password over roundcube

Any other ways are security risk.

Nooo, its not possible to login into iredadmin for common users!!!

24

Re: Roundcube Webmail - Encryption function missing

Hi All,

This still appears to be an issue, I've just done a fresh install on Debian 11 with MariaDB.

Created a bunch of users via sql script.

First user logs in and get this error when trying to change their password.

I've turned on debugging in the config, as per https://docs.iredmail.org/debug.roundcubemail.html, but show very little helpful info on why this is failing.

Could we have a IRedMail dev respond please?

Thank you for your help.

25 (edited by Cthulhu 2022-01-21 23:41:38)

Re: Roundcube Webmail - Encryption function missing

then use your own hashing algo:

$salt = random_str(8);
$hashed_password = hash('sha512', $password . $salt, true);
$password = '{SSHA512}' . base64_encode($hashed_password . $salt);

does not rely on dovecot at all and works the same