Hi,
At Mon, 01 Sep 2014 05:07:07 -0400, Patrick Domack wrote:
I want to use CRAM-MD5 or DIGEST-MD5 (non-plaintext) authentication for master users, but Dovecot 2.2.13 rejects it with the following log:
auth_mechanisms = plain login cram-md5 digest-md5 disable_plaintext_auth = yes auth_master_user_separator = %
passdb { driver = passwd-file args = /etc/dovecot/passwd.masterusers master = yes pass = yes }
# don't work too #passdb { # driver = checkpassword # args = /opt/osstech/etc/dovecot/checkpassword.masterusers # master = yes # pass = yes #}
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
Is this a bug or a restriction of Dovecot?
This is a restriction of CRAM-MD5 and DIGEST-MD5 They require plaintext passwords, you can't use password hashes on the server if you wish to use them. Or you have to use the special cram/digest-md5 password hash format.
I have plaintext passwords in the master passdb.
Dovecot debug log with auth_debug=yes and auth_debug_passwords=yes seems that the master's plaintext password (masterpass) from the master passdb is overrided by user's password (userpass) from the passdb:
Sep 01 09:49:26 auth: Debug: client in: AUTH 3 CRAM-MD5 service=imap secured no-penalty session=1hIb6/0BXwAKAAEU lip=10.0.103.100 rip=10.0.1.20 lport=143 rport=40031 Sep 01 09:49:26 auth: Debug: client passdb out: CONT 3 PDk0NDAwNTk4NzgwNzM5MzUuMTQwOTU2NDk2NkBsb2NhbGhvc3QubG9jYWxkb21haW4+ Sep 01 09:49:26 auth: Debug: client in: CONT 3 dTAwMDJAZWR1LnR1dC5hYy5qcCVzaGliYm8gYjk1NWUwODliZDQxMDE2N2NkNGI3ZWRlMjE1ODk2N2U= (previous base64 data may contain sensitive data) Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): Master user lookup for login: u0001@example.jp Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): lookup: user=masteruser file=/etc/dovecot/passwd.masterusers Sep 01 09:49:26 auth: Debug: passwd-file(masteruser,10.0.1.20,master,<1hIb6/0BXwAKAAEU>): Generating CRAM-MD5 from user 'masteruser', password 'masterpass' Sep 01 09:49:26 auth: Debug: ldap(u0001@example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): pass search: base=ou=users,dc=edu,dc=tut,dc=ac,dc=jp scope=subtree filter=(uid=u0001) fields=personMailCanonicalAddress,personMailPassword Sep 01 09:49:26 auth: Debug: ldap(u0001@example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): result: personMailCanonicalAddress=u0001@example.jp personMailPassword=userpass; personMailPassword,personMailCanonicalAddress unused Sep 01 09:49:26 auth: Debug: ldap(u0001@example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): result: personMailCanonicalAddress=u0001@example.jp personMailPassword=userpass Sep 01 09:49:26 auth: Debug: ldap(u0001@example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): Generating CRAM-MD5 from user 'masteruser', password 'userpass' Sep 01 09:49:26 auth: Debug: ldap(u0001@example.jp,10.0.1.20,<1hIb6/0BXwAKAAEU>): Credentials: ff5d74b19e3cb9b2b9f4fcb548fe023aeb44f67f231a5a89714d08b5fec22b78 Sep 01 09:49:28 auth: Debug: client passdb out: FAIL 3 user=u0001@example.jp authz original_user=masteruser auth_user=masteruser
There is nothing really to be gained from using these formats, it's just better to require TLS.
I need CRAM-MD5 and DIGEST-MD5 authentication for clients.
Thanks.
-- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA