[SM-USERS] Users can login with old passwords!
Please help, I have been all over google and the archives but cannot see this discussed anywhere. Standard LAMP server (details below), login to squirrelmail, fine, logout. Change users password and log back into squirrelmail using old password!! Logout and login with new password too! I have lots of data but not sure what is relevant. It looks like squirrelmail is holding onto the IMAP login as I don't see it disconnect when the user logs out. In fact, when they login with the old password I don't see the authentication passed through to the IMAP server so I am guessing squirrelmail is caching something locally!? I thought this may be a session issue but after changing the users password I can login using the old password on a separate browser with cleared cookies :-/ Any help gratefully received. Details of my environment are below... SquirrelMail version : 1.4.20 Installed Plugins: squirrelspell, delete_move_next, message_details PHP version : 5.2.0 Web server : Apache 2.0.52 IMAP server : Dovecot 1.1.8 SMTP server : Sendmail 8.13.1 OS : CentOS 4.5 Installed from tarball Browsers: Firefox 3.5 & Safari 5.0 Shout if you need any more info. Thank you. Dan -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Users can login with old passwords!
> Are you running an IMAP Proxy? up-imapproxy, specifically, would still > work with the old password as long as an existing connection remained > cached. Nope, no IMAP proxy, the IMAP server and Squirrelmail are on the same machine. > I would try a command line IMAP mail reader. > Maybe pine or elm. I have tried that, and confirmed the problem is with Squirrelmail and not IMAP :-/ -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Users can login with old passwords!
>> Nope, no IMAP proxy, the IMAP server and Squirrelmail are on the same >> machine. > > That alone doesn't rule out the use of an IMAP proxy, since it could > also be on the same machine. Totally agree, sorry my bad sentence. I built the box myself and it is not running an IMAP proxy. > I can think of no other reason that an old password would continue to > work. Squirrelmail does not (in fact, can not) remain connected to your > IMAP server. That is what I thought but it is happening :-/ I'll happily provide a test account for any developers that want to try this themselves. I'm at rather a loss on this one. Dan -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Users can login with old passwords!
> Dave's right. SquirrelMail can't cache logins itself. It merely asks > your IMAP server to authenticate what credentials you give it. > Therefore your problem is with whatever IMAP service you have pointed > SquirrelMail to, be it an IMAP proxy or the IMAP server itself. If > you are really not running imapproxy, then my guess is that Dovecot is > not seeing the updated passwords yet. You should seek help in the > Dovecot community for this issue. You are absolutely right, after lots of digging it seems Dovecot caches the authentication when using plain text auth which as webmail was accessing locally it was doing. Editing /etc/dovecot.conf and changing auth_cache_ttl from 3600 to a lower value like 300 and restarting dovecot seemed to work perfectly. Thank you all for your help and a a great product. Dan -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
