[Dovecot] Proxy MD5/NTLM requests not working
Having some problems with setting up a proxy with any authentication mechanisms other than PLAIN. My passwords are stored in my database in plaintext (and MD5), so I figure I could use whatever scheme I want. Using the latest RC15. MySQL for the backend.
This first one is CRAM-MD5. It fails (scheme_r != NULL??) then PLAIN tries to take over, but the auth server is restarting:
Info: auth(default): client in: AUTH 1 CRAM-MD5 service=POP3 secured lip=204.x.x.x rip=209.x.x.x resp= Info: auth(default): client out: CONT 1 PDA1MTA2OTcxNzY0NjA1MTAuMTE2NjIwMjUxNkBtYXJiZWxsYS5pbmZvd2VzdC5jb20+ Info: auth(default): client in: CONT 1 YnV0Y2hAaW5mb3dlc3QuY29tIDBhNGNjNDJlN2QxOWI4ZjlkYjk0MjE2OTgxOGVmM2Ri Error: auth(default): file passdb-cache.c: line 120 (passdb_cache_lookup_credentials): assertion failed: (*scheme_r != NULL) Error: child 63406 (auth) killed with signal 6 Info: pop3-login: Authenticate PLAIN failed: Authentication failed: Authentication server isn't connected, try again later..: method=PLAIN, rip= 209.x.x.x, lip=204.x.x.x, TLS
After this I tried adding this line to my Proxy dovecot-sql.conf file since the Destination already had it:
default_pass_scheme = plain
When I try connecting now, I get this:
Info: auth(default): client in: AUTH 1 CRAM-MD5 service=POP3 secured lip=204.x.x.x rip=209.x.x.x resp= Info: auth(default): client out: CONT 1 PDg1NDgyMTgxOTgyNzI0NDIuMTE2NjIwMzg2MkBtYXJiZWxsYS5pbmZvd2VzdC5jb20+ Info: auth(default): client in: CONT 1 YnV0Y2hAaW5mb3dlc3QuY29tIDIzM2FjODE3NmMwNzZkNWE1MmZhNzdhNDJlODVmMjAy Info: auth-worker(default): sql(user@host.com,209.x.x.x): query: SELECT NULL AS password, v.storeIP AS host, v.userID AS destuser, 'Y ' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM virtmailbox AS v WHERE v.userID = 'user@host.com' and v.imap_active = 1 Error: auth-worker(default): file passdb.c: line 120 (passdb_handle_credentials): assertion failed: (password != NULL) Error: child 69536 (auth-worker) killed with signal 6 Info: auth(default): client out: FAIL 1 user=user@host.com temp
This last error is the same that I get when trying NTLM. Now, the password should be NULL, since I dont want to do any authentication on the Proxy, but simply forward it off to let the destination host handle it.
Now the host that the proxy sends it off to works fine when I connect to it directly. I have the same default mechanisms allowed on both Proxy and destination.
Anybody have any clues? I'd really like to figure out how to proxy "secure password" requests to my destination server without having to rely on plaintext. Plaintext works fine with the proxy, but I am unable to get anything else working.
Am I overlooking something obvious?
Thanks,
Cassidy
On Fri, 2006-12-15 at 10:49 -0700, Cassidy B. Larson wrote:
Having some problems with setting up a proxy with any authentication mechanisms other than PLAIN. My passwords are stored in my database in plaintext (and MD5), so I figure I could use whatever scheme I want. Using the latest RC15. MySQL for the backend.
Nope. One important idea behind the non-plaintext authentication mechanisms is that they prevent man-in-the-middle attacks, which a proxy basically is. So it's pretty much impossible to do what you want (unless there's some co-operation between proxy-dovecot-auth and remote-server-auth, and even then I'm not sure if it would work with all mechanisms).
It would be possible for the user to authenticate with the proxy and then for the proxy to pass some proxy-master username and password which authenticate to the remote server (see http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy). Although I haven't tried if this works with non-plaintext mechanisms either.
Error: auth(default): file passdb-cache.c: line 120 (passdb_cache_lookup_credentials): assertion failed: (*scheme_r != NULL)
Umm. I'll see if I can get this fixed. It shouldn't crash in any case..
Error: auth-worker(default): file passdb.c: line 120 (passdb_handle_credentials): assertion failed: (password != NULL)
Crashes are bad, will see about fixing this one too :)
participants (2)
-
Cassidy B. Larson
-
Timo Sirainen