Improve authentication failure detection with word boundaries in regex

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>
Fix sync-jobs with legacy-encoded passwords by implementing UTF-8/Latin-1 retry logic
2026-03-20 13:35:57 +00:00 · 2025-12-15 08:16:49 +00:00 · 2025-12-15 08:15:52 +00:00 · 2025-12-15 08:11:12 +00:00
5 changed files with 58 additions and 49 deletions
--- a/data/Dockerfiles/dovecot/imapsync_runner.pl
+++ b/data/Dockerfiles/dovecot/imapsync_runner.pl
@@ -117,51 +117,77 @@ while ($row = $sth->fetchrow_arrayref()) {
  if ($enc1 eq "TLS") { $enc1 = "--tls1"; } elsif ($enc1 eq "SSL") { $enc1 = "--ssl1"; } else { undef $enc1; }

  my $template = $run_dir . '/imapsync.XXXXXXX';
-  my $passfile1 = File::Temp->new(TEMPLATE => $template);
  my $passfile2 = File::Temp->new(TEMPLATE => $template);
  
-  binmode( $passfile1, ":utf8" );
-  
-  print $passfile1 "$password1\n";
  print $passfile2 trim($master_pass) . "\n";

  my @custom_params_a = qqw($custom_params);
  my $custom_params_ref = \@custom_params_a;

-  my $generated_cmds = [ "/usr/local/bin/imapsync",
-  "--tmpdir", "/tmp",
-  "--nofoldersizes",
-  "--addheader",
-  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
-  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
-  ($exclude eq "" ? () : ("--exclude", $exclude)),
-  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
-  ($maxage eq "0" ? () : ('--maxage', $maxage)),
-  ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
-  ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
-  ($subscribeall  ne "1" ? () : ('--subscribeall')),
-  ($delete1 ne "1" ? () : ('--delete')),
-  ($delete2 ne "1" ? () : ('--delete2')),
-  ($automap ne "1" ? () : ('--automap')),
-  ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
-  (!defined($enc1) ? () : ($enc1)),
-  "--host1", $host1,
-  "--user1", $user1,
-  "--passfile1", $passfile1->filename,
-  "--port1", $port1,
-  "--host2", "localhost",
-  "--user2", $user2 . '*' . trim($master_user),
-  "--passfile2", $passfile2->filename,
-  ($dry eq "1" ? ('--dry') : ()),
-  '--no-modulesversion',
-  '--noreleasecheck'];
+  # Helper function to run imapsync with a specific encoding for password1
+  my $run_imapsync = sub {
+    my ($encoding) = @_;
+    
+    my $passfile1 = File::Temp->new(TEMPLATE => $template);
+    
+    if ($encoding eq 'utf8') {
+      binmode( $passfile1, ":utf8" );
+    } elsif ($encoding eq 'latin1') {
+      binmode( $passfile1, ":encoding(iso-8859-1)" );
+    }
+    
+    print $passfile1 "$password1\n";
+    $passfile1->flush();
+
+    my $generated_cmds = [ "/usr/local/bin/imapsync",
+    "--tmpdir", "/tmp",
+    "--nofoldersizes",
+    "--addheader",
+    ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+    ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
+    ($exclude eq "" ? () : ("--exclude", $exclude)),
+    ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
+    ($maxage eq "0" ? () : ('--maxage', $maxage)),
+    ($maxbytespersecond eq "0" ? () : ('--maxbytespersecond', $maxbytespersecond)),
+    ($delete2duplicates ne "1" ? () : ('--delete2duplicates')),
+    ($subscribeall  ne "1" ? () : ('--subscribeall')),
+    ($delete1 ne "1" ? () : ('--delete')),
+    ($delete2 ne "1" ? () : ('--delete2')),
+    ($automap ne "1" ? () : ('--automap')),
+    ($skipcrossduplicates ne "1" ? () : ('--skipcrossduplicates')),
+    (!defined($enc1) ? () : ($enc1)),
+    "--host1", $host1,
+    "--user1", $user1,
+    "--passfile1", $passfile1->filename,
+    "--port1", $port1,
+    "--host2", "localhost",
+    "--user2", $user2 . '*' . trim($master_user),
+    "--passfile2", $passfile2->filename,
+    ($dry eq "1" ? ('--dry') : ()),
+    '--no-modulesversion',
+    '--noreleasecheck'];
+
+    my $stdout;
+    run [@$generated_cmds, @$custom_params_ref], '&>', \$stdout;
+    
+    return $stdout;
+  };

  try {
    $is_running = $dbh->prepare("UPDATE imapsync SET is_running = 1, success = NULL, exit_status = NULL WHERE id = ?");
    $is_running->bind_param( 1, ${id} );
    $is_running->execute();

-    run [@$generated_cmds, @$custom_params_ref], '&>', \my $stdout;
+    # First attempt with UTF-8 encoding (default behavior)
+    my $stdout = $run_imapsync->('utf8');
+
+    # Check if authentication failed
+    my $auth_failed = ($stdout =~ /\b(LOGIN failed|authentication failed|AUTHENTICATIONFAILED)\b/i);
+    
+    # If authentication failed with UTF-8, retry with Latin-1 encoding for legacy passwords
+    if ($auth_failed) {
+      $stdout = $run_imapsync->('latin1');
+    }

    # check exit code and status
    ($exit_code, $exit_status) = ($stdout =~ m/Exiting\swith\sreturn\svalue\s(\d+)\s\(([^:)]+)/);
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -3397,8 +3397,6 @@ function set_user_loggedin_session($user) {
  session_regenerate_id(true);
  $_SESSION['mailcow_cc_username'] = $user;
  $_SESSION['mailcow_cc_role'] = 'user';
-  // Update User-Agent after session regeneration to prevent validation errors
-  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
  $_SESSION['sogo-sso-user-allowed'][] = $user;
  $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -43,9 +43,6 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
  session_unset();
  session_destroy();
-  session_start();
-  // After destroying session, we need to reset the User-Agent for the new session
-  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();

@@ -137,12 +134,6 @@ function session_check() {
    return true;
  }
  if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
-    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
-    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
-    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
-      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
-      return true;
-    }
    $_SESSION['return'][] = array(
      'type' => 'warning',
      'msg' => 'session_ua'
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -50,8 +50,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
-		// Update User-Agent after session regeneration to prevent validation errors
-		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
    die();
 	}
--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -7,8 +7,6 @@ if (!empty($_GET['sso_token'])) {
    session_regenerate_id(true);
    $_SESSION['mailcow_cc_username'] = $username;
    $_SESSION['mailcow_cc_role'] = 'domainadmin';
-    // Update User-Agent after session regeneration to prevent validation errors
-    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
    header('Location: /domainadmin/mailbox');
  }
 }
@@ -63,8 +61,6 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
-		// Update User-Agent after session regeneration to prevent validation errors
-		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
    die();
 	}
Author	SHA1	Message	Date
copilot-swe-agent[bot]	d5524689b4	Improve authentication failure detection with word boundaries in regex Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-15 08:16:49 +00:00
copilot-swe-agent[bot]	4e12ba99a0	Fix sync-jobs with legacy-encoded passwords by implementing UTF-8/Latin-1 retry logic Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-15 08:15:52 +00:00
copilot-swe-agent[bot]	9b1540697f	Initial plan	2025-12-15 08:11:12 +00:00