[Dovecot] auth failure
Brian Candler
B.Candler at pobox.com
Fri Jun 11 14:35:03 EEST 2004
On Fri, Jun 11, 2004 at 07:11:01AM -0400, Tom Allison wrote:
> I can use telnet 143 to authenticate using plaintext
> ". login username secret"
> but sniffit shows my password as garbled up stuff when I send a password
> through mozilla. Is this a feature of sniffit, mozilla, or what?
I don't know sniffit. What exactly does it show? If it shows
xxx login username yyy
then yyy *is* the cleartext password. If it shows
xxx authenticate foo
yyyyyyy
then yyyyyyy is base64-encoded authentication data (but trivially decoded in
the case where foo is 'PLAIN' or 'LOGIN')
I'd just try "tcpdump -i eth0 -n -s1500 -X tcp port 143" and look at the raw
packets.
> I'm trying to set up SSL, but I'm not sure it will behave well. Last
> time I tried this, I had a consistent feature of my SSL connection
> warning me that my certificate was crap because it wasn't signed
> properly (I didn't pay Thawte/Verisign to let me read my email).
Well, that's correct, because the whole SSL security model depends on the
presence of a trusted third-party to vouch for encryption keys. There's a
presentation with a brief overview here:
http://www.ws.afnog.org/afnog2004/t1/security/crypto-slides.pdf
But you can always set up your own Certificate Authority and manually
install your CA root certificate into your client. That will silence the
messages and maintain security.
> I'll work on SSL over the weekend, but I know I can connect now with
> plaintext. It's only allowing connections from my subnet A to subnet B
> and localhost so it's not as bad as 99.9% of the pop servers out there
> (or am I wrong on that too?).
IMAP and POP are essentially the same as regards authentication. They both
have plain logins (LOGIN or USER/PASS), they both have SASL logins
(AUTHENTICATE or AUTH), SASL logins could also be plaintext (PLAIN or
LOGIN), and they can optionally run over SSL (either on a different port,
or using STARTTLS or STLS)
Regards,
Brian.
More information about the dovecot
mailing list