Jonathan Ballet wrote:
In fact, it works if I use PLAIN password scheme in my database. However, I would like to store them encrypted. But, if I replace the password field for my user with {HMAC-MD5}-... (the password generated by dovecotpw), it doesn't work.
It is not possible to use the CRAM-MD5 authentication method, unless the server has the password in plaintext. Here's why[1]:
The server generates a *one-time* challenge string and sends it to the client;
The client responds with the username followed by a digest, which is a HMAC-MD5 hash of the challenge string and the user's password;
The server then performs the same HMAC-MD5 hashing of the challenge string it just sent and the plaintext users password in the database;
If and only if the two HMAC-MD5 hashes are equivalent, does the authentication succeed.
The problem is you have already hashed the password in the database, but the server does not know what the challenge string that was used (and unlike crypt, the challenge is not stored as part of the hash). There is no way to do what you want using CRAM-MD5 (it's one of the serious design flaws of that method).
HTH
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748