John Peacock wrote: :
Jonathan Ballet wrote:
In fact, it works if I use PLAIN password scheme in my database. However, I would like to store them encrypted. But, if I replace the password field for my user with {HMAC-MD5}-... (the password generated by dovecotpw), it doesn't work.
It is not possible to use the CRAM-MD5 authentication method, unless the server has the password in plaintext. Here's why[1]:
The server generates a *one-time* challenge string and sends it to the client;
The client responds with the username followed by a digest, which is a HMAC-MD5 hash of the challenge string and the user's password;
The server then performs the same HMAC-MD5 hashing of the challenge string it just sent and the plaintext users password in the database;
If and only if the two HMAC-MD5 hashes are equivalent, does the authentication succeed.
The problem is you have already hashed the password in the database, but the server does not know what the challenge string that was used (and unlike crypt, the challenge is not stored as part of the hash). There is no way to do what you want using CRAM-MD5 (it's one of the serious design flaws of that method).
HTH
John
I think I understand this, but :
How can it works with nearly the same configuration, using passwd-like files instead of pgsql database ? Auth mechanism is set to 'cram-md5', and passwords in the passdb file are HMAC-MD5 encrypted passwords (or, if I am wrong somewhere, they are generated by 'dovecotpw -s HMAC-MD5' and start with {HMAC-MD5}) In fact, this is the configuration I want to migrate from :) I'll put the file configuration at the end of the mail [2].
How dovecotpw generates the HMAC-MD5 encrypted password, if the challenge string used to hash the password is supposed not to be the same each time ? I mean, how could the password be used in HMAC-MD5 format, if dovecot doesn't know the secret key used to hash it ?
Dovecot documentation [1] says that HMAC-MD5 password scheme is used with CRAM-MD5 authentication mechanism. As far as I understand you, it means it is used, not to store/retrieve the password from the password database (whatever it is), but only to 'encrypt' the communication between the client and the server. It's not very clear ...
Is there any documentation referencing which password scheme could be used with an authentification mechanism ? I thought it was in [1], but I might be wrong.
So, what are my options, to have encrypted authentication, and encrypted password ?
Thanks for your answer,
-- Jonathan
[1] : http://wiki.dovecot.org/Authentication/PasswordSchemes [2] : Current working configuration :
# grep -v "^[ ]*#" dovecot.conf | grep -v "^$" protocols = imap disable_plaintext_auth = yes log_path = /var/log/mail/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " default_mail_env = maildir:/var/mail/%u mail_extra_groups = vmail first_valid_uid = 5000 last_valid_uid = 5000 protocol imap { }
protocol lda { postmaster_address = postmaster@example.com } auth default { mechanisms = cram-md5 passdb passwd-file { args = /etc/dovecot/userdb.deny deny = yes } passdb passwd-file { args = /etc/dovecot/userdb } userdb passwd-file { args = /etc/dovecot/userdb } user = root } dict { } plugin { }