Redis + Passwords

ixnay

Hi guys

So this happened to me:

User got password compromised
Some script kiddies started to send mail from this account
Got warning and immediately changed password for the account
Spammer did not stop sending emails
Marked account as inactive and spamming stopped

Then I marked the account as active again and I found that old password still works for SMTP/postfix authentication!!! (used https://www.gmass.co/smtp-test to test). After I restarted redis, this immediately stopped to work. It seems passwords are cached on redis and, even if you change to a new password, old passwords still allow anyone to authenticate via SMTP (only).

Isn’t this a major issue? Shouldn’t redis immediately clear the password after it’s changed on mailcow UI??

esackbauer

Which mailcow version are you on?

ixnay

Could replicate this both in 2025-03b (my production server) and in 2025-05 (my test server).

esackbauer

You should open an issue on Github with logs etc, so the devs can look into it.

ixnay

Thanks. Will do it.

Btw, this also “fixes” the problem. No need to restart redis:

docker compose exec dovecot-mailcow doveadm auth cache flush user@domain.tld

Done:
mailcow/mailcow-dockerized6584