Sat, 04 Apr 2026 06:37:20 +0000 https://bugs.horde.org/ticket/15095 Horde allows unauthenticated usere I have a Horde install that on FreeBSD/Dovecot/postfix, it is supposed to authenticate users in a MySQL database. The users are added into the database with postfixadmin. if a User was to log into Horde with a legitimate UserName and an incorrect password, Horde would let them through, allowing access to the Contact, Calendar etc but not mail. however, imp throws the error: User is not authorized for Mail (Host: ***.***.***.****). Also, if the legitimate username and wrong password is an admin, horde allows access to the Administration Configuration. if the user enters the proper password, everything is fine and no errors. Is this a bug or a misconfiguration? How do I resolve this? <?php /* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */ $conf['vhosts'] = false; $conf['debug_level'] = E_ALL & ~E_NOTICE; $conf['max_exec_time'] = 0; $conf['compress_pages'] = true; $conf['secret_key'] = '**'; $conf['umask'] = 077; $conf['testdisable'] = true; $conf['use_ssl'] = 2; $conf['server']['name'] = $_SERVER['SERVER_NAME']; $conf['urls']['token_lifetime'] = 30; $conf['urls']['hmac_lifetime'] = 30; $conf['urls']['pretty'] = false; $conf['safe_ips'] = array(); $conf['session']['name'] = 'Horde'; $conf['session']['use_only_cookies'] = true; $conf['session']['timeout'] = 0; $conf['session']['cache_limiter'] = 'nocache'; $conf['session']['max_time'] = 72000; $conf['cookie']['domain'] = $_SERVER['SERVER_NAME']; $conf['cookie']['path'] = '/'; $conf['sql']['username'] = '**'; $conf['sql']['password'] = '**'; $conf['sql']['hostspec'] = 'localhost'; $conf['sql']['port'] = 3306; $conf['sql']['protocol'] = 'tcp'; $conf['sql']['database'] = 'horde'; $conf['sql']['charset'] = 'utf-8'; $conf['sql']['ssl'] = false; $conf['sql']['splitread'] = false; $conf['sql']['logqueries'] = false; $conf['sql']['phptype'] = 'mysql'; $conf['nosql']['phptype'] = false; $conf['ldap']['useldap'] = false; $conf['auth']['admins'] = array('**'); $conf['auth']['checkip'] = true; $conf['auth']['checkbrowser'] = true; $conf['auth']['resetpassword'] = true; $conf['auth']['alternate_login'] = false; $conf['auth']['redirect_on_logout'] = false; $conf['auth']['list_users'] = 'list'; $conf['auth']['params']['phptype'] = 'mysql'; $conf['auth']['params']['hostspec'] = 'localhost'; $conf['auth']['params']['protocol'] = 'tcp'; $conf['auth']['params']['username'] = 'postfix'; $conf['auth']['params']['password'] = '**'; $conf['auth']['params']['database'] = 'postfix'; $conf['auth']['params']['query_auth'] = 'SELECT password FROM mailbox WHERE username = \L'; $conf['auth']['params']['query_add'] = 'INSERT INTO mailbox (domain, username , password, home) VALUES ( SUBSTRING_INDEX(\L, \'@\', -1), \L, \P, \'/usr/local/virtual/SUBSTRING_INDEX(\L, \'@\', -1)/\L\')'; $conf['auth']['params']['query_getpw'] = 'SELECT password FROM mailbox WHERE username = \L'; $conf['auth']['params']['query_update'] = ''; $conf['auth']['params']['query_resetpassword'] = 'UPDATE mailbox SET password = \P WHERE username = \L AND password = \P'; $conf['auth']['params']['query_remove'] = 'DELETE FROM mailbox WHERE username = \L AND domain = SUBSTRING_INDEX(\L, \'@\', -1)'; $conf['auth']['params']['query_list'] = 'SELECT * FROM mailbox'; $conf['auth']['params']['query_exists'] = 'SELECT 1 FROM mailbox WHERE SUBSTRING_INDEX(\L, \'@\', 1) AND domain = SUBSTRING_INDEX(\L, \'@\', -1)'; $conf['auth']['params']['encryption'] = 'crypt-md5'; $conf['auth']['params']['show_encryption'] = true; $conf['auth']['driver'] = 'customsql'; $conf['auth']['params']['count_bad_logins'] = true; $conf['auth']['params']['login_block'] = true; $conf['auth']['params']['login_block_count'] = 3; $conf['auth']['params']['login_block_time'] = 15; $conf['signup']['params']['driverconfig'] = 'horde'; $conf['signup']['driver'] = 'Sql'; $conf['signup']['email'] = '**'; $conf['signup']['approve'] = true; $conf['signup']['allow'] = true; $conf['log']['priority'] = 'INFO'; $conf['log']['ident'] = 'HORDE'; $conf['log']['name'] = LOG_USER; $conf['log']['type'] = 'syslog'; $conf['log']['enabled'] = true; $conf['log_accesskeys'] = false; $conf['prefs']['maxsize'] = 65535; $conf['prefs']['params']['driverconfig'] = 'horde'; $conf['prefs']['driver'] = 'Sql'; $conf['alarms']['params']['driverconfig'] = 'horde'; $conf['alarms']['params']['ttl'] = 300; $conf['alarms']['driver'] = 'Sql'; $conf['group']['params']['driverconfig'] = 'horde'; $conf['group']['driver'] = 'Sql'; $conf['perms']['driverconfig'] = 'horde'; $conf['perms']['driver'] = 'Sql'; $conf['share']['no_sharing'] = false; $conf['share']['auto_create'] = true; $conf['share']['world'] = true; $conf['share']['any_group'] = false; $conf['share']['hidden'] = false; $conf['share']['cache'] = false; $conf['share']['driver'] = 'Sqlng'; $conf['cache']['default_lifetime'] = 86400; $conf['cache']['params']['sub'] = 0; $conf['cache']['driver'] = 'File'; $conf['cache']['use_memorycache'] = ''; $conf['cachecssparams']['url_version_param'] = true; $conf['cachecss'] = false; $conf['cachejsparams']['url_version_param'] = true; $conf['cachejs'] = false; $conf['cachethemes'] = false; $conf['lock']['params']['driverconfig'] = 'horde'; $conf['lock']['driver'] = 'Sql'; $conf['token']['params']['driverconfig'] = 'horde'; $conf['token']['driver'] = 'Sql'; $conf['history']['params']['driverconfig'] = 'horde'; $conf['history']['driver'] = 'Sql'; $conf['davstorage']['params']['driverconfig'] = 'horde'; $conf['davstorage']['driver'] = 'Sql'; $conf['mailer']['params']['host'] = '**'; $conf['mailer']['params']['port'] = 25; $conf['mailer']['params']['secure'] = 'tls'; $conf['mailer']['params']['localhost'] = '**'; $conf['mailer']['params']['auth'] = false; $conf['mailer']['params']['lmtp'] = false; $conf['mailer']['type'] = 'smtp'; $conf['vfs']['params']['driverconfig'] = 'horde'; $conf['vfs']['type'] = 'Sql'; $conf['sessionhandler']['type'] = 'Builtin'; $conf['sessionhandler']['hashtable'] = false; $conf['spell']['params']['path'] = '/usr/local/bin/aspell'; $conf['spell']['driver'] = 'aspell'; $conf['gnupg']['path'] = '/usr/local/bin/gpg'; $conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net', 'subkeys.pgp.net', 'pgp.mit.edu'); $conf['gnupg']['timeout'] = 10; $conf['nobase64_img'] = false; $conf['image']['convert'] = '/usr/local/bin/convert'; $conf['image']['identify'] = '/usr/local/bin/identify'; $conf['image']['driver'] = 'Im'; $conf['exif']['driver'] = 'Bundled'; $conf['timezone']['location'] = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz'; $conf['problems']['email'] = '**'; $conf['problems']['maildomain'] = '**'; $conf['problems']['tickets'] = false; $conf['problems']['attachments'] = true; $conf['menu']['links']['help'] = 'all'; $conf['menu']['links']['prefs'] = 'authenticated'; $conf['menu']['links']['problem'] = 'never'; $conf['menu']['links']['login'] = 'all'; $conf['menu']['links']['logout'] = 'authenticated'; $conf['portal']['fixed_blocks'] = array('horde:horde_Block_Cloud', 'horde:horde_Block_Feed', 'horde:horde_Block_Iframe', 'horde:horde_Block_Moon', 'horde:horde_Block_Sunrise', 'horde:horde_Block_Time', 'horde:horde_Block_Vatid', 'horde:horde_Block_Account', 'ingo:ingo_Block_Overview', 'kronolith:kronolith_Block_Monthlist', 'kronolith:kronolith_Block_Prevmonthlist', 'kronolith:kronolith_Block_Summary', 'kronolith:kronolith_Block_Month', 'mnemo:mnemo_Block_Summary', 'mnemo:mnemo_Block_Note', 'nag:nag_Block_Summary', 'trean:trean_Block_Mostclicked', 'trean:trean_Block_Bookmarks', 'turba:turba_Block_Minisearch'); $conf['accounts']['driver'] = 'null'; $conf['user']['verify_from_addr'] = true; $conf['user']['select_view'] = true; $conf['facebook']['enabled'] = false; $conf['twitter']['enabled'] = false; $conf['urlshortener'] = false; $conf['weather']['provider'] = false; $conf['imap']['enabled'] = false; $conf['imsp']['enabled'] = false; $conf['kolab']['enabled'] = false; $conf['hashtable']['driver'] = 'none'; $conf['activesync']['enabled'] = false; /* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */ database tables: +-----------------------+ | Tables_in_postfix | +-----------------------+ | admin | | alias | | alias_domain | | config | | domain | | domain_admins | | fetchmail | | log | | mailbox | | quota | | quota2 | | vacation | | vacation_notification | +-----------------------+ 13 rows in set (0.00 sec) +-----------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-----------------+--------------+------+-----+---------------------+-------+ | username | varchar(255) | NO | PRI | NULL | | | password | varchar(255) | NO | | NULL | | | name | varchar(255) | NO | | NULL | | | maildir | varchar(255) | NO | | NULL | | | quota | bigint(20) | NO | | 0 | | | local_part | varchar(255) | NO | | NULL | | | domain | varchar(255) | NO | MUL | NULL | | | created | datetime | NO | | 2000-01-01 00:00:00 | | | modified | datetime | NO | | 2000-01-01 00:00:00 | | | active | tinyint(1) | NO | | 1 | | | phone | varchar(30) | NO | | | | | email_other | varchar(255) | NO | | | | | token | varchar(255) | NO | | | | | token_validity | datetime | NO | | 2000-01-01 00:00:00 | | | password_expiry | datetime | NO | | 2000-01-01 00:00:00 | | +-----------------+--------------+------+-----+---------------------+-------+ 15 rows in set (0.00 sec) Mon, 14 Feb 2022 07:33:19 +0000 https://bugs.horde.org/ticket/15095#t93988 This is a support question, not a bug report. Please use the mailing lists to ask for support. http://www.horde.org/mail/ contains a list of all available mailing lists. Thu, 17 Feb 2022 09:49:42 +0000 https://bugs.horde.org/ticket/15095#t93991