[Dovecot] auth failure

Tom Allison tallison at tacocat.net
Fri Jun 11 14:11:01 EEST 2004 

Brian Candler wrote:
> On Thu, Jun 10, 2004 at 09:36:48PM -0400, Tom Allison wrote:
> 
>>I've created working passwords using 'mkpasswd --hash=md5'
> 
> ...
> 
>>I can login and everything looks pretty cool.
>>
>>Except, as near as I can tell, I'm sending plaintext authentication over 
>>the wire.  My best guess is that my password gets munged into digest-md5 
>>format before it goes over the wire.
> 
> 
> Those two sentences contradict.
> 
> I think you mean you're sending plaintext passwords over the wire; when
> received at the server they are MD5-hashed, and compared with the hashed
> passwords in your database.
> 
> You can check this with tcpdump, dsniff etc.
> 

You're right, I think.  But I'm not sure exactly where.

I can use telnet 143 to authenticate using plaintext
". login username secret"
but sniffit shows my password as garbled up stuff when I send a password 
through mozilla.  Is this a feature of sniffit, mozilla, or what?

I guess I know a lot less about authentication than I thought I did.


> 
>>At this point I'm of the opinion that I'm reasonably secure.
>>True so far?
> 
Probably not, eh?
> 
> Depends on your definition of "secure".
> 
> Unless running over SSL, you are not secure against sniffers, who can easily
> see and re-use your passwords. However someone who breaks into your server
> will not have a full table of cleartext passwords, only the hashes. That
> means they have to do some work (a dictionary attack) to recover the
> passwords. Mind you, given most people's password habits, they'll probably
> recover 80% of the passwords within seconds anyway.

I'm trying to set up SSL, but I'm not sure it will behave well.  Last 
time I tried this, I had a consistent feature of my SSL connection 
warning me that my certificate was crap because it wasn't signed 
properly (I didn't pay Thawte/Verisign to let me read my email).

I'll work on SSL over the weekend, but I know I can connect now with 
plaintext.  It's only allowing connections from my subnet A to subnet B 
and localhost so it's not as bad as 99.9% of the pop servers out there 
(or am I wrong on that too?).

I much prefer the md5 storage for passwords since it makes it much 
harder.  As for the choice of passwords...  I assign the email passwords 
and I love pwgen!

More information about the dovecot mailing list