[Dovecot] Bug in Dovecot 1.0.5 - CRYPT-MD5 not working

Jim Salter jim at jrs-s.net
Sun Dec 28 04:48:52 EET 2008 

Problem:

Using MySQL storage for the user and password db with MD5-CRYPT hashes, 
Dovecot fails to successfully authenticate when the MD5-CRYPT or MD5 
settings are specified as default_pass_scheme in dovecot-mysql.conf.  
Dovecot /does/ successfully authenticate against MD5-CRYPT hashes when 
default_pass_scheme is set to CRYPT, which according to the docs should 
be DES encryption.  (I do not know whether or not CRYPT actually works 
with DES hashes.)

I am positive that I am using MD5-CRYPT hashes, as I have dropped in 
hashes from a Qmail/Vpopmail vpasswd file and they work with the CRYPT 
setting in Dovecot, as do hashes generated using htpasswd -nmb.


Test system:

Ubuntu Server 7.10, amd64
Dovecot 1.0.5 (from Ubuntu repositories)
Postfix 2.4.5 (from Ubuntu repositories)

Demonstration:

# cat /etc/dovecot/dovecot-mysql.conf
driver = mysql
connect = dbname=redacted user=redacted host=127.0.0.1 password=redacted
default_pass_scheme = MD5-CRYPT
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir, 105 AS uid, 114 AS gid FROM mailbox WHERE 
username  = '%u'
# htpasswd -nmb user password
user:$apr1$bZQl//..$2IPoOibTBaqpG7pPFigOy/
# mysql -u postfix -p
mysql> use redacted;
Database changed
mysql> update userdb set 
password='$apr1$bZQl//..$2IPoOibTBaqpG7pPFigOy/' where username='user';
Query OK, 1 rows affected (0.00 sec)
mysql>quit
Bye
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.
a login user password
a NO Authentication failed.
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.
# replace MD5-CRYPT CRYPT -- /etc/dovecot/dovecot-mysql.conf
# /etc/init.d/dovecot restart
 * Restarting IMAP/POP3 mail server 
dovecot                                                                                     
[ OK ]
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.
a login user password
a OK Logged in.
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.

More information about the dovecot mailing list