wildduck-webmail
wildduck-webmail copied to clipboard
nodemailer
API errors not propagated through webmail user interface
When attempting to create an account from the default display page on port 3000, I get the following message:
The log output from the docker container displays only "info HTTP get" messages, and the network response reports a 200, and displays the same form. There are no discernable error messages reported within the docker logs reported from a non-detached docker-compose up.
The mongodb database reports no users created, and there is indication of what could be wrong.
I am using test1/test1 as the user and password. I've tried using the address as the user name as well as the username by itself.
Interestingly, I can create an API user, which I have done, but I still cannot log in via the webmail. It maye not be within the scope of webmail, but I've included the mongodb user record that was created via the API that still does not work via webmail.
switched to db wildduck
> db.users.find().pretty()
{
"_id" : ObjectId("618d9ec7ecd8a900095dcbd6"),
"username" : "test1",
"unameview" : "test1",
"name" : null,
"password" : "$pbkdf2-sha256$i=25000$Tfz47/BxMqCzmvvEzrMgeg$vIXebI41CYENgOiGA/m+DxyhG6NWLHbUul4NNKCm7bE",
"enabled2fa" : [ ],
"seed" : "",
"pendingSeed" : "",
"pendingSeedChanged" : false,
"authVersion" : 1,
"address" : "test1@deb8c8ef0b65",
"language" : null,
"storageUsed" : 0,
"quota" : 0,
"recipients" : 0,
"forwards" : 0,
"imapMaxUpload" : 0,
"imapMaxDownload" : 0,
"pop3MaxDownload" : 0,
"pop3MaxMessages" : 0,
"imapMaxConnections" : 0,
"receivedMax" : 0,
"targets" : [ ],
"autoreply" : false,
"uploadSentMessages" : false,
"pubKey" : "",
"encryptMessages" : false,
"encryptForwarded" : false,
"spamLevel" : 50,
"retention" : 0,
"disabledScopes" : [ ],
"lastLogin" : {
"time" : false,
"authEvent" : false,
"ip" : false
},
"metaData" : "",
"activated" : true,
"disabled" : false,
"suspended" : false,
"created" : ISODate("2021-11-11T22:52:55.177Z")
}```
It was automatically assigned, as I did not specify an address in the api call. It's the hostname (docker container id) of the wildduck container.
I'm unconcerned as to the actual address at the moment, as I haven't tried to set this up publicly or send any mail to it until I can verify that I can create and manage users first.
What I'm saying is that wildduck-webmail may be concerned with the actual address. I'm not entirely sure to be honest, but it might be worth checking.
Sorry I'm not explaining myself clearly haha. Maybe wildduck-webmail has some email address validation that's failing? I'd try it with an actual domain. Also note the domain needs to be in the config here: https://github.com/nodemailer/wildduck-webmail/blob/3371984a32a7942d7859c3fcde923cf62484e7fa/config/default.toml#L17
Figured it out.
After setting the log level to debug in config/wildduck/default.toml
[log]
level="debug"
The following message was reported
Invalid accessToken value
wildduck-server | info Gelf {"short_message":"WILDDUCK HTTP [POST /authenticate] FAILED","_remote_ip":"192.168.96.8","_ip":"::ffff:192.168.96.1","_sess":"L8_l6zJamVLx2PtH6ZN1sbJwJiv30FPW","_http_route":"/authenticate","_http_method":"POST","_api_response":"fail","_error":"Invalid accessToken value","_code":"InvalidToken","_size":69,"_req_username":"test2","_req_password":"***","_req_scope":"master","_req_sess":"L8_l6zJamVLx2PtH6ZN1sbJwJiv30FPW","_req_appId":"https://domainname","_req_token":"true","_req_ip":"::ffff:192.168.96.1","facility":"wildduck","host":"a62a58b0927e","timestamp":1636673521.85,"_component":"wildduck"}
The default configuration of the webmail apparently requires no access token be set, which is one of the first things I did. That solved not being able to log in with an api created user.
With the debug log level enabled, the following error was reported when trying to create a new account:
Provided password was found from breached passwords list
{"short_message":"WILDDUCK HTTP [POST /users] FAILED","_remote_ip":"192.168.96.8","_ip":"::ffff:192.168.96.1","_sess":"-jRgmH18bK4aDgX-yT6geVni6AgrD_0K","_http_route":"/users","_http_method":"POST","_user":"root","_role":"root","_api_response":"fail","_error":"Provided password was found from breached passwords list","_code":"InsecurePasswordError","_size":109,"_req_name":"test4","_req_username":"test4","_req_password":"***","_req_allowUnsafe":"false","_req_address":"[email protected]","_req_recipients":"2000","_req_forwards":"2000","_req_quota":"1073741824","_req_sess":"-jRgmH18bK4aDgX-yT6geVni6AgrD_0K","_req_ip":"::ffff:192.168.96.1","facility":"wildduck","host":"a62a58b0927e","timestamp":1636673652.149,"_component":"wildduck"}
While I applaud the security measures here, it's unfortunate that this message is not returned via the web mail interface, or even in the network response at all.