On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that..
I hope users use GSSAPI authentication from native MUA, but RoundCube webmail doesn't support that, so that I have to use DIGEST-MD5/CRAM-MD5/ PLAIN/LOGIN for authentication between RoundCube and Dovecot, and let RoundCube login as master user for normal user.
I really don't like to transfer password as plain text, so I prefer DIGEST-MD5 and CRAM-MD5 for both auth mechanisms and password schemes. My last email is partially wrong, DIGEST-MD5 can't be used for master users because 'real_user*master_user' is used to calculate digest in IMAP client, this can't be consistent with digest in passdb because only 'master_user' is used to calculate digest.
But CRAM-MD5 doesn't use user name to calculate digest, I just tried it successfully with my rude patch to src/auth/auth.c in my previous email:-)
# doveadm pw -s CRAM-MD5 -u webmail (use 123456 as passwd) # cat > /etc/dovecot/master-users webmail:{CRAM-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada8035dc7d8bae41b ^D
$ gsasl --imap imap.corp.example.com --verbose -m CRAM-MD5 -a 'dieken*webmail@corp.example.com' -p 123456 Trying `gold.corp.example.com'...
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready. . CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 . OK Pre-login capabilities listed, post-login capabilities have more. . STARTTLS . OK Begin TLS negotiation now. . CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 . OK Pre-login capabilities listed, post-login capabilities have more. . AUTHENTICATE CRAM-MD5
- PDM1OTIzODgxNjgyNzUxMjUuMTMyNTg3MDQwMkBnb2xkPg== ZGlla2VuKndlYm1haWxAY29ycC5leGFtcGxlLmNvbSBkYjRlZWJlMTUwZGZjZjg5NTVkODZhNDBlMGJiZmQzNA==
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS Client authentication finished (server trusted)... Enter application data (EOF to finish):
It's also OK to use "-a 'dieken*webmail'" instead of "-a 'dieken*webmail@corp.example.com'.
# doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_debug = yes auth_debug_passwords = yes auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 cram-md5 auth_realms = corp.example.com auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain first_valid_gid = 1000 first_valid_uid = 1000 mail_debug = yes mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
Regards, Yubao Liu