On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
Hi guys,
we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior – when the password is e.g. “testpass” you also authenticate successfully with “testpass123” or “testpassNOT”. Whatever comes after the correct password doesn’t matter, the authentication is still successful. .. default_pass_scheme = CRYPT
http://wiki2.dovecot.org/Authentication/PasswordSchemes --
CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = vpvKh.SaNbR6s)
> *The traditional DES-crypt scheme only uses the first 8 characters of
Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page. the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all).