[Dovecot] help with AES_DECRYPT and password lookup - mysql password_query
Gedalya
gedalya at gedalya.net
Sun Apr 29 01:38:24 EEST 2012
On 04/28/2012 06:28 PM, Jeff Lacki wrote:
>>> 1. Is it even possible to do this via 'password_query'?
>> Please provide your dovecot version and output of the following command:
>> doveconf -n
>> and the complete external sql query files without passwords.
>>
>> You might alsolet the SQL server compare the encrypted
>> password in the database with the encrypted string:
>>
>> password_query = SELECT NULL AS password, \
>> 'Y' as nopassword, userid AS user \
>> FROM users WHERE userid='%u' AND AES_ENCRYPT('%w','mykey')=password
>>
>> Regards,
>> Daniel
> Thank you Daniel. I downloaded and compiled 2.1.5 yesterday.
> The problem seems to be that '%w' evaulates to an empty string:
>
> Debug: sql(jeff,127.0.0.1): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid='jeff' AND AES_DECRYPT('', 'key')=password
>
> I also just noticed that version 2.0.15 in my output below is coming from
> somewhere? I did try setting things up under 2.0.15 initially last week,
> but wanted to be up to date so downloaded the latest yesterday. I never did
> get it all working under 2.0.15 either btw.
>
> dovecot -n -c /opt/dovecot/etc/dovecot/dovecot.conf
> # 2.0.15: /opt/dovecot/etc/dovecot/dovecot.conf
> # OS: Linux 2.6.35.14-106.fc14.x86_64 x86_64 Fedora release 14 (Laughlin) ext4
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = cram-md5
> auth_verbose = yes
> auth_verbose_passwords = plain
> default_client_limit = 225
> first_valid_uid = 1000
> listen = *
> lock_method = flock
> mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
> mail_privileged_group = mail
> mbox_lock_timeout = 1 mins
> mbox_write_locks = fcntl
> namespace {
> inbox = yes
> location =
> prefix =
> separator = .
> type = private
> }
> passdb {
> args = /opt/dovecot/etc/dovecot/conf.d/dovecot-sql.conf.ext
> driver = sql
> }
> protocols = imap
> service auth {
> inet_listener {
> port = 12345
> }
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> user = $default_internal_user
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> service_count = 1
> }
> ssl_cert =</etc/pki/dovecot/certs/dovecot.pem
> ssl_key =</etc/pki/dovecot/private/dovecot.pem
> userdb {
> args = /opt/dovecot/etc/dovecot/conf.d/dovecot-sql.conf.ext
> driver = sql
> }
> userdb {
> args = /opt/dovecot/etc/dovecot/conf.d/dovecot-sql.conf.ext
> driver = sql
> }
> userdb {
> args = /opt/dovecot/etc/dovecot/conf.d/dovecot-sql.conf.ext
> driver = sql
> }
> protocol imap {
> imap_idle_notify_interval = 1 mins
> imap_max_line_length = 64 k
> mail_max_userip_connections = 5
> }
>
>
> /mf/home/jeep/shell/.signature
Yeap, you seem to only allow cram-md5. In this case, you client isn't
transmitting the actual password that the user is typing, so dovecot
simply doesn't have the password you want it to put in %w. It rather has
a digest of it.
The only way to use a non-plaintext auth mechanism is to provide dovecot
the correct password from the database in plaintext.
http://wiki2.dovecot.org/Authentication/Mechanisms
More information about the dovecot
mailing list