Forwarded to devs Roundcube Password add-in fails due to case sensitive email address

[Alex Presland]

TITLE:

Roundcube Password add-in fails due to case sensitive email address​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk Onyx Version 17.5.3 Update #43
CentOS release 6.9 (Final)
Roundcube v1.2.3 (non-Plesk version) [oops - needs updating!]​

PROBLEM DESCRIPTION:

An email mailbox is configured with an email address [email protected] through the Plesk panel.

When that user tries to change their password through Roundcube, it fails with the generic "New password could not be saved." error message.

If the Plesk email mailbox name is changed to lower-case-only characters (rename to lower-case-only with an X on the front; then rename again to remove the X) then the password changing works.

Logins to roundcube work regardless of the case of the email address entered.​

STEPS TO REPRODUCE:

Set up two email mailboxes. Use upper-case characters in one and all-lower-case characters in the other.

Try to change the passwords of the two accounts, using the roundcube password plugin. It should work for the email address which is configured in plesk with all lower-case characters, and fail for the other.​

ACTUAL RESULT:

"New password could not be saved." error message received when email addresses configured through the plesk panel contain non-lower-case characters.​

EXPECTED RESULT:

I'd expect that the Plesk XML API (used by the Roundcube Password plugin) would work and match the email address, regardless of whether upper-case or lower-case characters were entered into the Plesk panel.​

ANY ADDITIONAL INFORMATION:

We're going to try to tweak the Roundcube Password add-in to log what it is sending, to help confirm this bug report.​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[Alex Presland]

We've now done more work and added logging around the line of plugins/password/driver/plesk.php which calls the "curl_exec". This has successfully captured the XML Request and XML Response from each CURL execution.

We've also changed plugins/password/password.php so that it logs to /logs/password BOTH when the password change is successful and when it fails.

When the user "[email protected]" (i.e. all lowercase local part) has its password changed to "Password345", the following is logged:

[10-Mar-2018 22:29:28 +0000]: <22j4vfnk> XML Request: <?xml version="1.0"?>
<packet version="1.6.3.0"><site><get><filter><name>webmail.mydomain.com</name></filter><dataset><hosting/></dataset></get></site></packet>

[10-Mar-2018 22:29:29 +0000]: <22j4vfnk> XML Response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.0"><site><get><result><status>ok</status><filter-id>webmail.mydomain.com</filter-id><id>360</id><data><gen_info><cr_date>2017-01-19</cr_date><name>webmail.mydomain.com</name><ascii-name>webmail.mydomain.com</ascii-name><status>0</status><real_size>695721984</real_size><dns_ip_address>IP.AD.DRE.SS</dns_ip_address><htype>vrt_hst</htype><guid>fd78f1de-c330-4bf2-bbb2-b1773a80c8d7</guid><webspace-guid>fd78f1de-c330-4bf2-bbb2-b1773a80c8d7</webspace-guid></gen_info><hosting><vrt_hst><property><name>ftp_login</name><value>USERNAME</value></property><property><name>ftp_password</name><value>PASSWORD</value></property><property><name>ftp_password_type</name><value>plain</value></property><property><name>ftp_quota</name><value>-1</value></property><property><name>ssl</name><value>true</value></property><property><name>shell</name><value>/bin/false</value></property><property><name>php</name><value>true</value></property><property><name>php_handler_type</name><value>fastcgi</value></property><property><name>ssi</name><value>false</value></property><property><name>cgi</name><value>false</value></property><property><name>perl</name><value>false</value></property><property><name>python</name><value>false</value></property><property><name>asp</name><value>false</value></property><property><name>asp_dot_net</name><value>false</value></property><property><name>webstat</name><value>awstats</value></property><property><name>webstat_protected</name><value>true</value></property><property><name>errdocs</name><value>true</value></property><property><name>wuscripts</name><value>true</value></property><property><name>at_domains</name><value>false</value></property><property><name>fastcgi</name><value>true</value></property><property><name>cgi_mode</name><value></value></property><property><name>www_root</name><value>/var/www/vhosts/webmail.mydomain.com/httpdocs</value></property><property><name>certificate_name</name><value>Lets Encrypt webmail.mydomain.com</value></property><property><name>open_basedir</name><value>{WEBSPACEROOT}{/}{:}{TMP}{/}</value></property><property><name>error_reporting</name><value>E_ALL &amp; ~E_NOTICE &amp; ~E_STRICT &amp; ~E_DEPRECATED</value></property><property><name>log_errors</name><value>off</value></property><property><name>post_max_size</name><value>16M</value></property><property><name>upload_max_filesize</name><value>10M</value></property><property><name>date.timezone</name><value>Europe/London</value></property><property><name>web-server-expires-static-only</name><value>true</value></property><property><name>apache-restrict-follow-sym-links</name><value>false</value></property><property><name>nginx-proxy-mode</name><value>true</value></property><property><name>nginx-transparent-mode</name><value>false</value></property><property><name>nginx-serve-static</name><value>false</value></property><property><name>nginx-serve-php</name><value>false</value></property><ip_address>IP.AD.DRE.SS</ip_address></vrt_hst></hosting></data></result></get></site></packet>

[10-Mar-2018 22:29:29 +0000]: <22j4vfnk> XML Request: <?xml version="1.0"?>
<packet version="1.6.3.0"><mail><update><set><filter><site-id>360</site-id><mailname><name>test</name><password><value>Password345</value><type>plain</type></password></mailname></filter></set></update></mail></packet>

[10-Mar-2018 22:29:29 +0000]: <22j4vfnk> XML Response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.0"><mail><update><set><result><status>ok</status><mailname><name>test</name></mailname></result></set></update></mail></packet>

[10-Mar-2018 22:29:29 +0000]: <22j4vfnk> Password changed for user [email protected] (ID: 403) from ip.ad.dr.ess(X-Real-IP: ip.ad.dr.ess,X-Forwarded-For: ip.ad.dr.ess)

However, when the user is changed to "[email protected]" it fails:

[10-Mar-2018 22:30:38 +0000]: <o03u54o3> XML Request: <?xml version="1.0"?>
<packet version="1.6.3.0"><site><get><filter><name>webmail.mydomain.com</name></filter><dataset><hosting/></dataset></get></site></packet>

[10-Mar-2018 22:30:38 +0000]: <o03u54o3> XML Response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.0"><site><get><result><status>ok</status><filter-id>webmail.mydomain.com</filter-id><id>360</id><data><gen_info><cr_date>2017-01-19</cr_date><name>webmail.mydomain.com</name><ascii-name>webmail.mydomain.com</ascii-name><status>0</status><real_size>695721984</real_size><dns_ip_address>IP.AD.DRE.SS</dns_ip_address><htype>vrt_hst</htype><guid>fd78f1de-c330-4bf2-bbb2-b1773a80c8d7</guid><webspace-guid>fd78f1de-c330-4bf2-bbb2-b1773a80c8d7</webspace-guid></gen_info><hosting><vrt_hst><property><name>ftp_login</name><value>USERNAME</value></property><property><name>ftp_password</name><value>PASSWORD</value></property><property><name>ftp_password_type</name><value>plain</value></property><property><name>ftp_quota</name><value>-1</value></property><property><name>ssl</name><value>true</value></property><property><name>shell</name><value>/bin/false</value></property><property><name>php</name><value>true</value></property><property><name>php_handler_type</name><value>fastcgi</value></property><property><name>ssi</name><value>false</value></property><property><name>cgi</name><value>false</value></property><property><name>perl</name><value>false</value></property><property><name>python</name><value>false</value></property><property><name>asp</name><value>false</value></property><property><name>asp_dot_net</name><value>false</value></property><property><name>webstat</name><value>awstats</value></property><property><name>webstat_protected</name><value>true</value></property><property><name>errdocs</name><value>true</value></property><property><name>wuscripts</name><value>true</value></property><property><name>at_domains</name><value>false</value></property><property><name>fastcgi</name><value>true</value></property><property><name>cgi_mode</name><value></value></property><property><name>www_root</name><value>/var/www/vhosts/webmail.mydomain.com/httpdocs</value></property><property><name>certificate_name</name><value>Lets Encrypt webmail.mydomain.com</value></property><property><name>open_basedir</name><value>{WEBSPACEROOT}{/}{:}{TMP}{/}</value></property><property><name>error_reporting</name><value>E_ALL &amp; ~E_NOTICE &amp; ~E_STRICT &amp; ~E_DEPRECATED</value></property><property><name>log_errors</name><value>off</value></property><property><name>post_max_size</name><value>16M</value></property><property><name>upload_max_filesize</name><value>10M</value></property><property><name>date.timezone</name><value>Europe/London</value></property><property><name>web-server-expires-static-only</name><value>true</value></property><property><name>apache-restrict-follow-sym-links</name><value>false</value></property><property><name>nginx-proxy-mode</name><value>true</value></property><property><name>nginx-transparent-mode</name><value>false</value></property><property><name>nginx-serve-static</name><value>false</value></property><property><name>nginx-serve-php</name><value>false</value></property><ip_address>IP.AD.DRE.SS</ip_address></vrt_hst></hosting></data></result></get></site></packet>

[10-Mar-2018 22:30:38 +0000]: <o03u54o3> XML Request: <?xml version="1.0"?>
<packet version="1.6.3.0"><mail><update><set><filter><site-id>360</site-id><mailname><name>test</name><password><value>Password123</value><type>plain</type></password></mailname></filter></set></update></mail></packet>

[10-Mar-2018 22:30:38 +0000]: <o03u54o3> XML Response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.0"><mail><update><set><result><status>error</status><errcode>1023</errcode><errtext>Unable to create mailname :Mail account [email protected] already exists in this domain.</errtext><mailname><name>test</name></mailname></result></set></update></mail></packet>

[10-Mar-2018 22:30:38 +0000]: <o03u54o3> Password change FAILED for user [email protected] (ID: 409) from ip.ad.dr.ess(X-Real-IP: ip.ad.dr.ess,X-Forwarded-For: ip.ad.dr.ess)

​

This testing shows that the Plesk code isn't doing a case-insensitive match when checking for the mailbox existing already, and is therefore trying (and failing) to create a mailbox with the same name.

Hopefully this is useful to you in confirming this issue.

 

[IgorG]

From developer:

Unable to reproduce it on Plesk 17.5 + Roundcube 1.2.7

WORKAROUND:
Rename an email address to lowercase.

 

[Alex Presland]

Thanks @IgorG. I'll upgrade Roundcube and test again.

 

[Alex Presland]

I've upgraded Roundcube to 1.3.5 (server still running Plesk Onyx Version 17.5.3 Update #43) and get the same behaviour as before (failing when the email alias has an uppercase character in it).

Are there any differences between the Roundcube package bundled with Plesk and the package that is available from Roundcube Webmail Downloads? If not, I'm struggling to understand why this issue can't be reproduced. :-/

I'm not using the Plesk-bundled one, if I forgot to mention that earlier.

 

[MarkM]

Try modifying the roundcube config file and setting $rcmail_config[‘login_lc’] = true

Edit; I think I'm getting versions mixed up. I believe it's $config['login_lc'] = 2 in the latest.... also dovecot or ?

 

[Alex Presland]

Hi Mark,

Thanks for your message. I've checked and this is already using the default of 2.

The request sent in the Plesk XML API is lowercase in both examples (excerpt from above logs):

<packet version="1.6.3.0"><mail><update><set><filter><site-id>360</site-id><mailname><name>test</name><password>..

The response is different when the email address configured in Plesk contains an upper-case character. I remain convinced that Plesk is treating this case-sensitively, and therefore (effectively) not matching against the submitted field and saying "this mailbox already exists, you can't create it" instead of "password changed".

 

[Alex Presland]

Currently running Roundcube 1.3.10 and Plesk 17.8.11 Update #67. We've just had another user fall fowl of this bug. Any news on possibly reproducing and fixing this issue?

 

[Alex Presland]

I'm still having his issue with Roundcube 1.4.1 and Plesk 17.8.11 Update #74. Although there is a workaround, it isn't great that the API calls are failing because non-technical users have chosen to configure captial letters in their email addresses. Can the plesk API code or user interface be modified to prevent this please?