On 10/02/2011 10:28 AM, Timo Sirainen wrote:
On Sun, 2011-10-02 at 08:53 -0700, Eric Shubert wrote:
Oct 02 08:21:40 auth: Info: password(gary@domain.com,192.168.252.8): Requested DIGEST-MD5 scheme, but we have only SHA1
Oh. This was vpopmail specific problem. See if this fixes: http://hg.dovecot.org/dovecot-2.0/rev/dbd5f9ec38af
Thanks Timo. Two things.
First, I don't think this is a comprehensive fix covering all situations, though I could be wrong. One problem with it is that if the password is changed and the plaintext client isn't active, one would need to wait for the cached plaintext record to expire before being able to log in with an encoded password. Another problem might be if there are two separate clients, one using digest-md5 and another using cram-md5, I think the second one used would still fail. No? I'm not sure how best to handle any combination of clients and authentication mechanisms, so I'll leave the solution to your design.
Second and perhaps more importantly, it occurred to me that simply using %u as the cache key might be a significant security hole. If passwords are cached using only the user account, what's to prevent someone else, using another client with the same authentication mechanism at a different IP address, from gaining access to an account that's cached? Perhaps I'm not understanding this right, but I think that using %u%r as the cache key closes this hole, and should probably be recommended in the documentation.
I could (as always) be totally off base on this, so please explain if I'm misunderstanding something.
Thanks again, Timo. Great work on dovecot.
-- -Eric 'shubes'