snappymail icon indicating copy to clipboard operation
snappymail copied to clipboard

Published 20 hours ago verified publisher icon the-djmaze

[Plugin ldap-mail-accounts] Password change via ldap asks for passphrase

Open cm-schl opened this issue 9 months ago • 3 comments

I'm using the plugin ldap-mail-accounts to automatically add additional accounts to SnappyMail basing on an ldap directory. SnappyMail in one of the last releases introduced the functionality to crypt the passwords for additional accounts what surly is a good feature. Unfortunately this creates a problem when trying to use a functionality of the ldap-mail-accounts plugin: On changing to an additional account the plugin tries to log you in with the same password used for the main account (in my special case this is the password that Nextcloud passes to SnappyMail using the Nextcloud integration). As now the additional account passwords are encrypted when the user has changed his password in ldap he gets asked for the old password what isn't always known - think of a password reset on forgot password similar to #1551.

Doing some tests I saw that deleting the .cryptkey file in the user storage solves the situation somehow because in this case the file is recreated without having to insert the old password but this obviously is a manual task to do every time the user changes his password.

I saw that the resealCryptKey function was introduced for a connected problem but I think this does not can help in my situation. Therefore I would like to ask how I would have to change my plugin to be able to retry logging in a user with the password of his main account without having the user to insert manually the old (maybe forgotten) passphrase for every additional account? Should I somehow reset the cryptkey file every time the user logs in so that this gets regenerated?

cm-schl avatar Apr 30 '24 13:04 cm-schl

Additionally I would like to ask what consequences the deletion of the .cryptkey file has? Does this only affect the passwords for additional accounts or could this result in other data loss as the key file has to be regenerated?

cm-schl avatar Apr 30 '24 13:04 cm-schl

Cryptkey is used for additional accounts and other encrypted data (like backups of pgp keys).

See the login-gmail extension how i workaround the problem there.

https://github.com/the-djmaze/snappymail/blob/6cafd65690ff0c7ad94c48dadbd223fcb3aef388/plugins/login-gmail/index.php#L125 The OpenID Connect id is unique for the account login and used as password. Because the auth and refresh tokens change constantly and are used for imap/smtp/sieve

the-djmaze avatar Apr 30 '24 14:04 the-djmaze

Hi @the-djmaze and thanks for your answer. Unfortunately I don't get the hint how you workaround the problem... Is it the use of SensitiveString in the line you referenced? Or the use of GetSessionToken here? https://github.com/the-djmaze/snappymail/blob/6cafd65690ff0c7ad94c48dadbd223fcb3aef388/plugins/login-gmail/index.php#L131

Sorry, but I have no idea 🤷‍♂️

cm-schl avatar Apr 30 '24 15:04 cm-schl

Hi, I'm closing this - I have added the option to delete the content of .cryptkey to my plugin ldap-mail-accounts. As I do not know how to handle this in an other way and because of the fact that my plugin handels all additional mail accounts I need this works for me.

cm-schl avatar May 15 '24 12:05 cm-schl