[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5
Hello all.
Im try to make a SMTP Auth using Docecot SASL. Im use swaks for tests.
Im store users in LDAP. As im understand for CRAM & DIGEST MD5 we need to store pass in a clear text?... Ok.
mail: admin3@domain.off userPassword: 123 <- Clear text
What im do
%swaks -a CRAM-MD5 -au admin3@domain.off -ap 123 To: admin3@domain.off === Trying mx.domain.off:25... === Connected to mx.domain.off. <- 220 mx.domain.off ESMTP Exim 4.69 Tue, 08 Jul 2008 19:14:24 +0000 -> EHLO mx.domain.off <- 250-mx.domain.off Hello mx.domain.off [172.16.1.19] <- 250-SIZE 13631488 <- 250-PIPELINING <- 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 <- 250-STARTTLS <- 250 HELP -> AUTH CRAM-MD5 <- 334 PDM4ODYwNTQ1MjEzMTA3NDEuMTIxNTU0NDQ2NEBteC5kb21haW4ub2ZmPg== -> YWRtaW4zQGRvbWFpbi5vZmYgMGJlYzIzOTA5Zjg4OTc3MDdkYTJmZmNmOTEzMDBhMmM= <** 535 Incorrect authentication data *** No authentication type succeeded -> QUIT <- 221 mx.domain.off closing connection === Connection closed with remote host.
Exim says:
SMTP<< AUTH CRAM-MD5 9657 dovecot authentication 9657 AUTH 12 CRAM-MD5 service=smtp secured rip=172.16.1.19 lip=172.16.1.19 resp= 9657 received: CONT 12 PDM0MTMzMjg1NTUyOTE0MjMuMTIxNTU0NDcwMUBteC5kb21haW4ub2ZmPg== 9657 SMTP>> 334 PDM0MTMzMjg1NTUyOTE0MjMuMTIxNTU0NDcwMUBteC5kb21haW4ub2ZmPg== 9657 received: FAIL 12 user=admin3@domain.off 9657 SMTP>> 535 Incorrect authentication data 9657 auth_cram_md5 authenticator failed for mx.domain.off [172.16.1.19] I=[172.16.1.19]:26: 535 Incorrect authentication data (set_id=admin3@domain.off) 9657 SMTP<< QUIT
Dovecot logs:
Info: auth(default): new auth connection: pid=9713 Info: auth(default): client in: AUTH 11 CRAM-MD5 service=smtp secured rip=172.16.1.19 lip=172.16.1.19 resp=<hidden> Info: auth(default): client out: CONT 11 PDU5MjUzNjc0Mjg1NDAyNjUuMTIxNTU0NDkyN0BteC5kb21haW4ub2ZmPg== Info: auth(default): client in: CONT<hidden> Info: auth(default): ldap(admin3@domain.off,172.16.1.19): pass search: base=dc=Virtual-Domains,dc=DOMAIN scope=subtree filter=(&(objectClass=mailUser)(mail=admin3@domain.off)) fields=mail,userPassword Info: auth(default): ldap(admin3@domain.off,172.16.1.19): result: mail(user)=admin3@domain.off userPassword(password)=<hidden> Error: auth(default): password(admin3@domain.off,172.16.1.19): Invalid password format for scheme CRAM-MD5 Info: auth(default): client out: FAIL 11 user=admin3@domain.off
password(admin3@domain.off,172.16.1.19): Invalid password format for scheme CRAM-MD5
Hm... as im see - something wrong in my dovecot-ldap.conf ? Main idea of it is mail = user, userPassword = password.
dovecot-ldap.conf:
hosts = 127.0.0.1 dn = uid=Dovecot,ou=System-Users,dc=DOMAIN dnpass = 123 debug_level = 0 ldap_version = 3 base = dc=Virtual-Domains,dc=DOMAIN deref = never scope = subtree user_attrs = user_filter = (&(objectClass=mailUser)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=mailUser)(mail=%u)) default_pass_scheme = CRAM-MD5
Dovecot logs with debug_level=1 in attachment.
Help me please - I running out of ideas. :-(
-- Best regards, Proskurin Kirill
dovecot: Jul 08 19:20:42 Info: auth(default): new auth connection: pid=9663 dovecot: Jul 08 19:20:42 Info: auth(default): client in: AUTH 13 CRAM-MD5 service=smtp secured rip=172.16.1.19 lip=172.16.1.19 resp=<hidden> dovecot: Jul 08 19:20:42 Info: auth(default): client out: CONT 13 PDQzMTQ1ODQxMzA2NDgxODguMTIxNTU0NDg0MkBteC5kb21haW4ub2ZmPg== dovecot: Jul 08 19:20:42 Info: auth(default): client in: CONT<hidden> dovecot: Jul 08 19:20:42 Info: auth(default): ldap(admin3@domain.off,172.16.1.19): pass search: base=dc=Virtual-Domains,dc=ForexClub scope=subtree filter=(&(objectClass=mailUser)(mail=admin3@domain.off) ) fields=mail,userPassword dovecot: Jul 08 19:20:42 Error: auth(default): ldap_search dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: "(&(objectClass=mailUser)(mail=admin3@domain.off))" dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: AND dovecot: Jul 08 19:20:42 Error: auth(default): put_filter_list "(objectClass=mailUser)(mail=admin3@domain.off)" dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: "(objectClass=mailUser)" dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: simple dovecot: Jul 08 19:20:42 Error: auth(default): put_simple_filter: "objectClass=mailUser" dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: "(mail=admin3@domain.off)" dovecot: Jul 08 19:20:42 Error: auth(default): put_filter: simple dovecot: Jul 08 19:20:42 Error: auth(default): put_simple_filter: "mail=admin3@domain.off" dovecot: Jul 08 19:20:42 Error: auth(default): ldap_send_initial_request dovecot: Jul 08 19:20:42 Error: auth(default): ldap_send_server_request dovecot: Jul 08 19:20:42 Error: auth(default): ldap_result ld 0x18529160 msgid -1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg ld 0x18529160 msgid -1 (timeout 0 usec) dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg continue ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Connections: dovecot: Jul 08 19:20:42 Error: auth(default): * host: 127.0.0.1 port: 389 (default) dovecot: Jul 08 19:20:42 Error: auth(default): refcnt: 2 status: Connected dovecot: Jul 08 19:20:42 Error: auth(default): last used: Tue Jul 8 19:20:42 2008 dovecot: Jul 08 19:20:42 Error: auth(default): dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Outstanding Requests: dovecot: Jul 08 19:20:42 Error: auth(default): * msgid 4, origid 4, status InProgress dovecot: Jul 08 19:20:42 Error: auth(default): outstanding referrals 0, parent count 0 dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Response Queue: dovecot: Jul 08 19:20:42 Error: auth(default): Empty dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): ldap_int_select dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: ld 0x18529160 msgid 4 message type search-entry dovecot: Jul 08 19:20:42 Error: auth(default): ldap_result ld 0x18529160 msgid -1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg ld 0x18529160 msgid -1 (timeout 0 usec) dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg continue ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Connections: dovecot: Jul 08 19:20:42 Error: auth(default): * host: 127.0.0.1 port: 389 (default) dovecot: Jul 08 19:20:42 Error: auth(default): refcnt: 2 status: Connected dovecot: Jul 08 19:20:42 Error: auth(default): last used: Tue Jul 8 19:20:42 2008 dovecot: Jul 08 19:20:42 Error: auth(default): dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Outstanding Requests: dovecot: Jul 08 19:20:42 Error: auth(default): * msgid 4, origid 4, status InProgress dovecot: Jul 08 19:20:42 Error: auth(default): outstanding referrals 0, parent count 0 dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Response Queue: dovecot: Jul 08 19:20:42 Error: auth(default): * msgid 4, type 100 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): ldap_int_select dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: ld 0x18529160 msgid 4 message type search-result dovecot: Jul 08 19:20:42 Error: auth(default): new result: res_errno: 0, res_error: <>, res_matched: <> dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: ld 0x18529160 0 new referrals dovecot: Jul 08 19:20:42 Error: auth(default): read1msg: mark request completed, ld 0x18529160 msgid 4 dovecot: Jul 08 19:20:42 Error: auth(default): request done: ld 0x18529160 msgid 4 dovecot: Jul 08 19:20:42 Error: auth(default): res_errno: 0, res_error: <>, res_matched: <> dovecot: Jul 08 19:20:42 Error: auth(default): ldap_free_request (origid 4, msgid 4) dovecot: Jul 08 19:20:42 Error: auth(default): ldap_free_connection 0 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_free_connection: refcnt 1 dovecot: Jul 08 19:20:42 Error: auth(default): adding response ld 0x18529160 msgid 4 type 101: dovecot: Jul 08 19:20:42 Error: auth(default): ldap_parse_result dovecot: Jul 08 19:20:42 Error: auth(default): ldap_first_attribute dovecot: Jul 08 19:20:42 Error: auth(default): ldap_get_values dovecot: Jul 08 19:20:42 Error: auth(default): ldap_next_attribute dovecot: Jul 08 19:20:42 Error: auth(default): ldap_get_values dovecot: Jul 08 19:20:42 Error: auth(default): ldap_next_attribute dovecot: Jul 08 19:20:42 Info: auth(default): ldap(admin3@domain.off,172.16.1.19): result: mail(user)=admin3@domain.off userPassword(password)=<hidden> dovecot: Jul 08 19:20:42 Error: auth(default): password(admin3@domain.off,172.16.1.19): Invalid password format for scheme CRAM-MD5 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_msgfree dovecot: Jul 08 19:20:42 Error: auth(default): ldap_result ld 0x18529160 msgid -1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg ld 0x18529160 msgid -1 (timeout 0 usec) dovecot: Jul 08 19:20:42 Error: auth(default): wait4msg continue ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Connections: dovecot: Jul 08 19:20:42 Error: auth(default): * host: 127.0.0.1 port: 389 (default) dovecot: Jul 08 19:20:42 Error: auth(default): refcnt: 1 status: Connected dovecot: Jul 08 19:20:42 Error: auth(default): last used: Tue Jul 8 19:20:42 2008 dovecot: Jul 08 19:20:42 Error: auth(default): dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Outstanding Requests: dovecot: Jul 08 19:20:42 Error: auth(default): Empty dovecot: Jul 08 19:20:42 Error: auth(default): ** ld 0x18529160 Response Queue: dovecot: Jul 08 19:20:42 Error: auth(default): Empty dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList ld 0x18529160 msgid -1 all 1 dovecot: Jul 08 19:20:42 Error: auth(default): ldap_chkResponseList returns ld 0x18529160 NULL dovecot: Jul 08 19:20:42 Error: auth(default): ldap_int_select dovecot: Jul 08 19:20:44 Info: auth(default): client out: FAIL 13 user=admin3@domain.off
On Tue, Jul 8, 2008 at 5:39 PM, Proskurin Kirill k.proskurin@fxclub.org wrote:
Error: auth(default): password(admin3@domain.off,172.16.1.19): Invalid password format for scheme CRAM-MD5
dovecot-ldap.conf: default_pass_scheme = CRAM-MD5
Set default_pass_scheme to PLAIN as you store passwords in plain text.
For improved security, store the passwords in HMAC-MD5-format.
For CRAM-MD5 auth you do not need to store the password in PLAIN format. It is ok to store the password in HMAC-MD5 format.
For DIGEST-MD5 you need to store the pass in PLAIN format.
Chris
Chris Laif wrote:
On Tue, Jul 8, 2008 at 5:39 PM, Proskurin Kirill k.proskurin@fxclub.org wrote:
Error: auth(default): password(admin3@domain.off,172.16.1.19): Invalid password format for scheme CRAM-MD5
dovecot-ldap.conf: default_pass_scheme = CRAM-MD5
Set default_pass_scheme to PLAIN as you store passwords in plain text.
For improved security, store the passwords in HMAC-MD5-format.
For CRAM-MD5 auth you do not need to store the password in PLAIN format. It is ok to store the password in HMAC-MD5 format.
For DIGEST-MD5 you need to store the pass in PLAIN format.
Thank you for reply. It is works.
Sad but mostly im need DIGEST-MD5. :-(
-- Best regards, Proskurin Kirill
participants (2)
-
Chris Laif
-
Proskurin Kirill