[Dovecot] Secure authentication?
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Regards,
BTJ
--
Bjørn T Johansen
btj@havleik.no
Someone wrote: "I understand that if you play a Windows CD backwards you hear strange Satanic messages" To which someone replied: "It's even worse than that; play it forwards and it installs Windows"
Show output from: dovecot -n
On 11.11.2007 3:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Regards,
BTJ
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Jürgen
---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---
On 11.11.2007 14:18, Jürgen Herz wrote:
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Jürgen
---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---
Agree, its probably it is this because secure authentication means secure password not secure connection.
Jürgen Herz wrote:
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Jürgen
---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---
So, if we are talking about authentication, I always get the error:
Nov 11 14:10:05 goofy postfix/smtpd[8089]: warning: unknown[192.168.0.3]: SASL CRAM-MD5 authentication failed: PDcyNTc4NDY4NjgyMTIxMDEuMTE5NDc4MzAwM0Bnb29meS5jZWx1bG96YS5ybz4=
Nov 11 14:10:05 goofy postfix/smtpd[8089]: A1338855EA1: client=unknown[192.168.0.3], sasl_method=PLAIN, sasl_username=bazy@goofy.celuloza.ro
Do i need to store the password in mysql with md5? I don't fully understand it... Why do i get that error?
Now my "default_pass_scheme = CRYPT", and in mysql I'm using ENCRYPT when i store a password.
I am using thunderbird 2, and my authentication mechanism:
auth default { mechanisms = plain login cram-md5
passdb sql {
args = /etc/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot-userdb-sql.conf
}
socket listen {
client {
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
mode = 0660
}
}}
Bazy wrote:
Jürgen Herz wrote:
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Jürgen
---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---
So, if we are talking about authentication, I always get the error:
Nov 11 14:10:05 goofy postfix/smtpd[8089]: warning: unknown[192.168.0.3]: SASL CRAM-MD5 authentication failed: PDcyNTc4NDY4NjgyMTIxMDEuMTE5NDc4MzAwM0Bnb29meS5jZWx1bG96YS5ybz4=
Nov 11 14:10:05 goofy postfix/smtpd[8089]: A1338855EA1: client=unknown[192.168.0.3], sasl_method=PLAIN, sasl_username=bazy@goofy.celuloza.ro
Do i need to store the password in mysql with md5? I don't fully understand it... Why do i get that error?
Now my "default_pass_scheme = CRYPT", and in mysql I'm using ENCRYPT when i store a password.
No, you need store passwords encrypted with CRAM-MD5 to use CRAM-MD5 if your password is encrypted using CRYPT - only CRYPT is available.
Generally you need to store unencrypted passwords to allow client chose which encryption to use. Then hash is generated internally by dovecot form unencrypted password. If password is already encrypted only this encryption method is available - e.g. you can't generate MD5 hash from Crypt hash.
Uldis
Uldis Pakuls wrote:
Bazy wrote:
Jürgen Herz wrote:
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Jürgen
---AV & Spam Filtering by M+Guardian - Risk Free Email (TM)---
So, if we are talking about authentication, I always get the error:
Nov 11 14:10:05 goofy postfix/smtpd[8089]: warning: unknown[192.168.0.3]: SASL CRAM-MD5 authentication failed: PDcyNTc4NDY4NjgyMTIxMDEuMTE5NDc4MzAwM0Bnb29meS5jZWx1bG96YS5ybz4=
Nov 11 14:10:05 goofy postfix/smtpd[8089]: A1338855EA1: client=unknown[192.168.0.3], sasl_method=PLAIN, sasl_username=bazy@goofy.celuloza.ro
Do i need to store the password in mysql with md5? I don't fully understand it... Why do i get that error?
Now my "default_pass_scheme = CRYPT", and in mysql I'm using ENCRYPT when i store a password.
No, you need store passwords encrypted with CRAM-MD5 to use CRAM-MD5 if your password is encrypted using CRYPT - only CRYPT is available.
Generally you need to store unencrypted passwords to allow client chose which encryption to use. Then hash is generated internally by dovecot form unencrypted password. If password is already encrypted only this encryption method is available - e.g. you can't generate MD5 hash from Crypt hash.
Uldis
I know I can't generate md5 from mysql encrypt :) but I understand now, thank you for explaining it to me.
On Sun 11 Nov 2007, Jürgen Herz wrote:
On 2007-11-11 01:13, Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
Might be. But note that with "secure authentication" it might mean CRAM-MD5, DIGEST-MD5, Kerberos a.s.o. that are no simple plain text or just Base64 coding mechanisms. SSL on the other hand is a way to make a secure *connection*. So make sure some of the above mechanisms are enabled in your dovecot installation as well.
Apologies for a very ignorant question, but I am puzzled by authentication generally in Linux. Eg does one have to choose between CRAM-MDS, etc. Could I just ignore them all if I use SSL?
Is there a clear and simple document on authentication in Linux?
Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
SSL and secure passwords are different things - if you've enabled SSL on the client, secure passwords are redundant really - the whole connection is encrypted. Secure password authentication is only supported by dovecot when your backend password store is in unencrypted plain text - the client hashes the password, which is compared to a hash generated by the server. If memory serves, SPA is based on NTLM, hence the requirement for plaintext in the backend for generation of the hash, though I suppose if you were storing NTLM hashes it could be made to work. Personally, I prefer to have the passwords securely encrypted in the backend though, and so rely on SSL for securing the connection, disregarding SPA entirely.
On Sun, 11 Nov 2007 22:28:52 +1100 Peter Fern dovecot@obfusc8.org wrote:
Bjørn T Johansen wrote:
I have enabled SSL support for my dovecot installation but if I enable secure authentication in my MUA, I get an error from dovecot telling me that this is not supported..
Is this because dovecot does not support this or am I missing some config?
SSL and secure passwords are different things - if you've enabled SSL on the client, secure passwords are redundant really - the whole connection is encrypted. Secure password authentication is only supported by dovecot when your backend password store is in unencrypted plain text - the client hashes the password, which is compared to a hash generated by the server. If memory serves, SPA is based on NTLM, hence the requirement for plaintext in the backend for generation of the hash, though I suppose if you were storing NTLM hashes it could be made to work. Personally, I prefer to have the passwords securely encrypted in the backend though, and so rely on SSL for securing the connection, disregarding SPA entirely.
Yes, thanks for all the replies.... It was all a misunderstanding on my part about what secure authentication really was but SSL is up and working anyway.... :)
BTJ
participants (7)
-
Bazy
-
Bjørn T Johansen
-
Jürgen Herz
-
Nikolay Shopik
-
Peter Fern
-
Timothy Murphy
-
Uldis Pakuls