[Dovecot] Weird Authentication behaviour

Gedalya gedalya at gedalya.net
Mon Mar 24 11:47:24 UTC 2014


On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
> Hi guys,
>
>   
>
> we use dovecot 2.0.9 and authentication against a mysql database. Everything
> works fine, but we found some weird behavior – when the password is e.g.
> “testpass” you also authenticate successfully with “testpass123” or
> “testpassNOT”. Whatever comes after the correct password doesn’t matter, the
> authentication is still successful.
..
> default_pass_scheme = CRYPT
>
http://wiki2.dovecot.org/Authentication/PasswordSchemes --

CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = 
vpvKh.SaNbR6s)

Dovecot uses libc's crypt() function, which means that CRYPT is usually 
able to recognize MD5-CRYPT and possibly also other password schemes. 
See all of the *-CRYPT schemes at the top of this page.
 >>>>>>>
*The traditional DES-crypt scheme only uses the first 8 characters of 
the password, the rest are ignored.* Other schemes may have other 
password length limitations (if they limit the password length at all).



More information about the dovecot mailing list