On 28.09.2018 04:24, Adam Gold wrote:
Hello everyone. I'm close to completing my first build of a mail server - Postfix, Dovecot, Postgres (I know, sounds like overkill), Rspamd with Redis and Unbound (please infer a mega lack of experience disclaimer). The model is standalone internet with remoted sasl-authenticated clients.
Throughout the process I've been having consistent problems with user password authentication. Both when I began when I was only using flat files and now with pgsql, more often than not my username (full email address) and password combo have been rejected. The postfix logs started with fairly innocent 'failed login' messages and eventually reached the "you don't own this email address, you're a spammer" level. Dovecot has been consistent with "auth: Debug: client passdb out: FAIL" messages.
Before I looked at this issue specifically, my guess was it came from a Postfix restriction but having spent quite a while going through it today, I don't think that's where it lies.
Finally I went back to basics and changed an account password to {PLAIN}12345 and what do you know - effortless success! Previously I'd been using mainly argon, ssha512 sha512-crypt and a few others. My passwords are strong (well in excess of 20 characters, 'randomly' generated). I spent this afternoon narrowing down the hashes and while I haven't finished, the only one I couldn't get to work with 12345 was argon.
I also noticed that the wiki says the 2I and 2ID versions of Argon are available, doveadm pw always returned a "does not exist" error when I tried to use 2ID.
I'm using Dovecot version 2.3.2.1 (0719df592)
Hi!
ARGON2ID is present only if dovecot is compiled with ARGON2ID capable libsodium.
Also, we recently found out that you need to increase auth process vsz limit if you are using ARGON2 algorithm, otherwise it will sigfault or return failure due to memory constraints.
service auth { vsz_limit = 2G # or higher, or 0 for no limit. }
Aki