[Dovecot] SOLVED Intermittent authentication failures

Eric Shubert ejs at shubes.net
Mon Oct 3 19:55:40 EEST 2011


On 10/02/2011 10:28 AM, Timo Sirainen wrote:
> On Sun, 2011-10-02 at 08:53 -0700, Eric Shubert wrote:
>>
>>
>> Oct 02 08:21:40 auth: Info: password(gary at domain.com,192.168.252.8):
>> Requested DIGEST-MD5 scheme, but we have only SHA1
>
> Oh. This was vpopmail specific problem. See if this fixes:
> http://hg.dovecot.org/dovecot-2.0/rev/dbd5f9ec38af
>
>
>

Thanks Timo. Two things.

First, I don't think this is a comprehensive fix covering all 
situations, though I could be wrong. One problem with it is that if the 
password is changed and the plaintext client isn't active, one would 
need to wait for the cached plaintext record to expire before being able 
to log in with an encoded password. Another problem might be if there 
are two separate clients, one using digest-md5 and another using 
cram-md5, I think the second one used would still fail. No? I'm not sure 
how best to handle any combination of clients and authentication 
mechanisms, so I'll leave the solution to your design.

Second and perhaps more importantly, it occurred to me that simply using 
%u as the cache key might be a significant security hole. If passwords 
are cached using only the user account, what's to prevent someone else, 
using another client with the same authentication mechanism at a 
different IP address, from gaining access to an account that's cached? 
Perhaps I'm not understanding this right, but I think that using %u%r as 
the cache key closes this hole, and should probably be recommended in 
the documentation.

I could (as always) be totally off base on this, so please explain if 
I'm misunderstanding something.

Thanks again, Timo. Great work on dovecot.

-- 
-Eric 'shubes'



More information about the dovecot mailing list