Error 500 When Attempting Forgot Password

[lkuza2]

Hello,

When using the "I forgot my password" button for a normal user, the HTTP server returns a 500 error.

Based on the logs, it appears to possibly be related to the recently closed issue on how postfixadmin handled dovecot passwords, or something wrong with it finding PFASmarty for some reason. I am using version 3.3.3

2021/01/18 17:42:53 [error] 344926#344926: *1444 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw ... stderr: Fatal: Missing {scheme} prefix from hash , password: PHP message: Error trying to call pacrypt()PHP message: Exception: /usr/bin/doveadm pw failed, see error log for details in /usr/share/webapps/postfixadmin/functions.inc.php:1056 Stack trace: #0 /usr/share/webapps/postfixadmin/functions.inc.php(1271): _pacrypt_dovecot('abc', 'def') #1 /usr/share/webapps/postfixadmin/model/Login.php(45): pacrypt('abc', 'def') #2 /usr/share/webapps/postfixadmin/public/login.php(63): Login->login('', '') #3 {main}PHP message: PostfixAdmin admin login failed (username: , ip_address: x.x.x.xx)" while reading response header from upstream, client: x.x.x.x, server: postfixadmin.x.com, request: "POST /login.php HTTP/1.1", upstream: "fastcgi://unix:/run/postfixadmin/postfixadmin.sock:", host: "postfixadmin.x.com", referrer: "https://postfixadmin.x.com/login.php" 2021/01/18 17:42:57 [error] 344926#344926: *1449 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Class 'PFASmarty' not found in /usr/share/webapps/postfixadmin/public/users/password-recover.php:28 Stack trace: #0 {main} thrown in /usr/share/webapps/postfixadmin/public/users/password-recover.php on line 28" while reading response header from upstream, client: x.x.x.x, server: postfixadmin.x.com, request: "GET /users/password-recover.php HTTP/1.1", upstream: "fastcgi://unix:/run/postfixadmin/postfixadmin.sock:", host: "postfixadmin.x.com", referrer: "https://postfixadmin.x.com/users/login.php"

Let me know what other information I can supply. It might just be me having a problem setup.

[DavidGoodwin]

Hi - well spotted ... there are two errors going on here ...

1. If a user doesn't exist the code proceeds to call pacrypt('abc', 'def') - from memory, i think it does this to try and mark it hard for an attack to do a timing based attack. Calling pacrypt('abc', 'def') when you're using dovecot doesn't work very well, as it's missing a {SHA512} type prefix. I'm not sure what's a good way to fix this given how the code is. It could possibly be left to continue to error (and log)?
2. The password recover page had a but (see changeset ^) which should be fixed.