Master user and non-plaintext auth does not work

SATOH Fumiyasu fumiyas at osstech.jp
Mon Sep 1 10:12:26 UTC 2014 

Hi,

At Mon, 01 Sep 2014 05:07:07 -0400,
Patrick Domack wrote:
> > I want to use CRAM-MD5 or DIGEST-MD5 (non-plaintext) authentication
> > for master users, but Dovecot 2.2.13 rejects it with the following log:
> > 
> >   auth_mechanisms = plain login cram-md5 digest-md5
> >   disable_plaintext_auth = yes
> >   auth_master_user_separator = %
> > 
> >   passdb {
> >     driver = passwd-file
> >     args = /etc/dovecot/passwd.masterusers
> >     master = yes
> >     pass = yes
> >   }
> > 
> >   # don't work too
> >   #passdb {
> >   #  driver = checkpassword
> >   #  args = /opt/osstech/etc/dovecot/checkpassword.masterusers
> >   #  master = yes
> >   #  pass = yes
> >   #}
> > 
> >   passdb {
> >     driver = ldap
> >     args = /etc/dovecot/dovecot-ldap.conf.ext
> >   }
> > 
> > Is this a bug or a restriction of Dovecot?
> 
> This is a restriction of CRAM-MD5 and DIGEST-MD5
> They require plaintext passwords, you can't use password hashes on the server if you wish to use them. Or you have to use the special cram/digest-md5 password hash format.

I have plaintext passwords in the master passdb.

Dovecot debug log with auth_debug=yes and auth_debug_passwords=yes seems
that the master's plaintext password (masterpass) from the master passdb
is overrided by user's password (userpass) from the passdb:

Sep 01 09:49:26 auth: Debug: client in: AUTH    3       CRAM-MD5        service=imap    secured no-penalty      session=1hIb6/0BXwAKAAEU        lip=10.0.103.100    rip=10.0.1.20    lport=143       rport=40031
Sep 01 09:49:26 auth: Debug: client passdb out: CONT    3       PDk0NDAwNTk4NzgwNzM5MzUuMTQwOTU2NDk2NkBsb2NhbGhvc3QubG9jYWxkb21haW4+
Sep 01 09:49:26 auth: Debug: client in: CONT    3       dTAwMDJAZWR1LnR1dC5hYy5qcCVzaGliYm8gYjk1NWUwODliZDQxMDE2N2NkNGI3ZWRlMjE1ODk2N2U= (previous base64 data may contain sensitive data)
Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): Master user lookup for login: u0001 at example.jp
Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): lookup: user=masteruser file=/etc/dovecot/passwd.masterusers
Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): Generating CRAM-MD5 from user 'masteruser', password 'masterpass'
Sep 01 09:49:26 auth: Debug: ldap(u0001 at example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): pass search: base=ou=users,dc=edu,dc=tut,dc=ac,dc=jp scope=subtree filter=(uid=u0001) fields=personMailCanonicalAddress,personMailPassword
Sep 01 09:49:26 auth: Debug: ldap(u0001 at example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): result: personMailCanonicalAddress=u0001 at example.jp personMailPassword=userpass; personMailPassword,personMailCanonicalAddress unused
Sep 01 09:49:26 auth: Debug: ldap(u0001 at example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): result: personMailCanonicalAddress=u0001 at example.jp personMailPassword=userpass
Sep 01 09:49:26 auth: Debug: ldap(u0001 at example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): Generating CRAM-MD5 from user 'masteruser', password 'userpass'
Sep 01 09:49:26 auth: Debug: ldap(u0001 at example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): Credentials: ff5d74b19e3cb9b2b9f4fcb548fe023aeb44f67f231a5a89714d08b5fec22b78
Sep 01 09:49:28 auth: Debug: client passdb out: FAIL    3       user=u0001 at example.jp        authz   original_user=masteruser    auth_user=masteruser

> There is nothing really to be gained from using these formats, it's just better to require TLS.

I need CRAM-MD5 and DIGEST-MD5 authentication for clients.

Thanks.

-- 
-- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- GitHub Home: https://GitHub.com/fumiyas/
-- PGP Fingerprint: BBE1 A1C9 525A 292E 6729  CDEC ADC2 9DCA 5E1C CBCA

More information about the dovecot mailing list