Bug#960302: [Pkg-roundcube-maintainers] Bug#960302: imap retry must be tunable
On 24.05.20 01:34, Sandro Knauß wrote: Well I tried several times to reach upstream and they are often not answering. Never the less I created a pull request with an updated version, that does no retry for unrecoverable failures like authentication failure, no password, configuration failure. That should improve the situation already in this issue. @Matus UHLAR: please try the patch attached to the pull request if this fixes your issue: https://github.com/roundcube/roundcubemail/pull/7402 On 25.05.20 17:50, Matus UHLAR - fantomas wrote: this patch works properly when invalid password is entered. works properly even in backported version 1.4.4+dfsg.1-1~bpo10+1 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Bug#960302: [Pkg-roundcube-maintainers] Bug#960302: imap retry must be tunable
On 24.05.20 01:34, Sandro Knauß wrote: Could you please have a look at this regression report? You authored the patch and my PHP-fu is failing me :-P It should definitely not retry the very same incorrect credentials. Even on systems without anti-bruteforce logic that locks the user out, Roundcube still takes 5 times longer to complain a about a failed login — which is not negligible when an expensive PBKDF is used for credential verification. ACK I think it's rather unfortunate that debian/patches/retry_to_reach_imap_server.patch was AFAICT never submitted upstream and landed into stable through -p-u. I dunno whether program/lib/Roundcube/rcube_imap.php:connect() has access to the IMAP state machine to determine whether a greeting was seen (AFAICT your intention was to retry on missing greeting lines, not on NO/BYE greeting conditions let alone failed authentication attempts) or to another interface returning whether the error is transient or not. Either way it'd be good to have upstream's blessing before adopting such patches to Debian :-) Well I tried several times to reach upstream and they are often not answering. Never the less I created a pull request with an updated version, that does no retry for unrecoverable failures like authentication failure, no password, configuration failure. That should improve the situation already in this issue. @Matus UHLAR: please try the patch attached to the pull request if this fixes your issue: https://github.com/roundcube/roundcubemail/pull/7402 this patch works properly when invalid password is entered. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Bug#960302: [Pkg-roundcube-maintainers] Bug#960302: imap retry must be tunable
Control: forwarded -1 https://github.com/roundcube/roundcubemail/pull/7402 hey, > Could you please have a look at this regression report? You authored > the patch and my PHP-fu is failing me :-P It should definitely not > retry the very same incorrect credentials. Even on systems without > anti-bruteforce logic that locks the user out, Roundcube still takes 5 > times longer to complain a about a failed login — which is not > negligible when an expensive PBKDF is used for credential verification. ACK > I think it's rather unfortunate that > debian/patches/retry_to_reach_imap_server.patch was AFAICT never submitted > upstream and landed into stable through -p-u. I dunno whether > program/lib/Roundcube/rcube_imap.php:connect() has access to the IMAP state > machine to determine whether a greeting was seen (AFAICT your intention was > to retry on missing greeting lines, not on NO/BYE greeting conditions let > alone failed authentication attempts) or to another interface returning > whether the error is transient or not. Either way it'd be good to have > upstream's blessing before adopting such patches to Debian :-) Well I tried several times to reach upstream and they are often not answering. Never the less I created a pull request with an updated version, that does no retry for unrecoverable failures like authentication failure, no password, configuration failure. That should improve the situation already in this issue. @Matus UHLAR: please try the patch attached to the pull request if this fixes your issue: https://github.com/roundcube/roundcubemail/pull/7402 Cheers, hefee signature.asc Description: This is a digitally signed message part.
Bug#960302: [Pkg-roundcube-maintainers] Bug#960302: imap retry must be tunable
Control: severity -1 important Hi Sandro, On Mon, 11 May 2020 at 18:34:06 +0200, Matus UHLAR - fantomas wrote: > the imap retry patch added within bug 947320 locks my accounts when I enter > invalid password. Could you please have a look at this regression report? You authored the patch and my PHP-fu is failing me :-P It should definitely not retry the very same incorrect credentials. Even on systems without anti-bruteforce logic that locks the user out, Roundcube still takes 5 times longer to complain a about a failed login — which is not negligible when an expensive PBKDF is used for credential verification. I think it's rather unfortunate that debian/patches/retry_to_reach_imap_server.patch was AFAICT never submitted upstream and landed into stable through -p-u. I dunno whether program/lib/Roundcube/rcube_imap.php:connect() has access to the IMAP state machine to determine whether a greeting was seen (AFAICT your intention was to retry on missing greeting lines, not on NO/BYE greeting conditions let alone failed authentication attempts) or to another interface returning whether the error is transient or not. Either way it'd be good to have upstream's blessing before adopting such patches to Debian :-) Thanks! cheers -- Guilhem. signature.asc Description: PGP signature
