Requested CRAM-MD5 scheme, but we have only CRYPT
Hi,
I use dovecot-2.3.15 with MySQL backend for authentication.
I just converted cleartext credentials in SSHA512. Authentication (POP3/IMAP/Roundcube webmail) is working fine.
I got a few users complianing about login issues with Thunderbird.
Logs show this:
Dec 1 16:34:52 mailserver dovecot[72554] auth-worker(72559): conn unix:auth-worker (uid=143): auth-worker<5294>: sql(user@domain.net,xx.yy.ww.zz,<g+jCZhfS/N1dKskw>): Requested CRAM-MD5 scheme, but we have only CRYPT
I don't understand this error. It seems I still support CRAM-MD5:
telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
This is my conf:
doveconf -n # 2.3.15 (0503334ab1): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 13.0-RELEASE-p4 amd64 zfs # Hostname: server.domain.net doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/db/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /usr/local/etc/dovecot/dh.pem auth_debug = yes auth_mechanisms = plain login digest-md5 cram-md5 auth_verbose = yes default_client_limit = 2000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no first_valid_gid = 125 first_valid_uid = 125 imap_id_log = * mail_gid = 1003 mail_location = maildir:/mail/domains mail_privileged_group = postfix mail_uid = 1003 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = postfix mode = 0600 user = postfix } } service imap { process_limit = 1024 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/ssl/wildcard.domain.net_bundle.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver = sql } protocol imap { mail_max_userip_connections = 100 }
this is my dovecot-sql-crypt.conf.ext:
# cat /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext
driver=mysql
default_pass_scheme=CRYPT
connect= host=db.domain.net port=3306 dbname=mail user=user password=xxxxxxxxxxxxxxxxxxxx
#password_query = SELECT case when crypt is not null then crypt else password end as password FROM mailbox
WHERE username='%u' AND suspended='N'
password_query = SELECT case when crypt is not null then crypt else password_crypt end as password FROM mailbox
WHERE username='%u' AND suspended='N'
user_query = SELECT concat('maildir:',home) as mail, 125 AS uid, 125 AS gid FROM mailbox WHERE username='%u' AND suspended='N'
Thank you
auth_mechanisms = plain login digest-md5 cram-md5
You still advertise them though.
Aki
On 01/12/2021 18:09 absolutely_free@libero.it wrote:
Hi, I use dovecot-2.3.15 with MySQL backend for authentication. I just converted cleartext credentials in SSHA512. Authentication (POP3/IMAP/Roundcube webmail) is working fine. I got a few users complianing about login issues with Thunderbird. Logs show this: Dec 1 16:34:52 mailserver dovecot[72554] auth-worker(72559): conn unix:auth-worker (uid=143): auth-worker<5294>: sql(user@domain.net,xx.yy.ww.zz,<g+jCZhfS/N1dKskw>): Requested CRAM-MD5 scheme, but we have only CRYPT I don't understand this error. It seems I still support CRAM-MD5: telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
This is my conf:
doveconf -n # 2.3.15 (0503334ab1): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 13.0-RELEASE-p4 amd64 zfs # Hostname: server.domain.net doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/db/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /usr/local/etc/dovecot/dh.pem auth_debug = yes auth_mechanisms = plain login digest-md5 cram-md5 auth_verbose = yes default_client_limit = 2000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no first_valid_gid = 125 first_valid_uid = 125 imap_id_log = * mail_gid = 1003 mail_location = maildir:/mail/domains mail_privileged_group = postfix mail_uid = 1003 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = postfix mode = 0600 user = postfix } } service imap { process_limit = 1024 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/ssl/wildcard.domain.net_bundle.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver = sql } protocol imap { mail_max_userip_connections = 100 }
this is my dovecot-sql-crypt.conf.ext:
# cat /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext driver=mysql default_pass_scheme=CRYPT connect= host=db.domain.net port=3306 dbname=mail user=user password=xxxxxxxxxxxxxxxxxxxx #password_query = SELECT case when crypt is not null then crypt else password end as password FROM
mailbox
WHERE username='%u' AND suspended='N' password_query = SELECT case when crypt is not null then crypt else password_crypt end as password FROMmailbox
WHERE username='%u' AND suspended='N' user_query = SELECT concat('maildir:',home) as mail, 125 AS uid, 125 AS gid FROM mailbox WHERE username='%u' AND suspended='N' Thank you
Hi, I wondering if I can simply disable CRAM-MD5 and/or DIGEST-MD5. Are they useful in case of SSL or TLS connections? Thankyou
Il 01/12/2021 18:42 Aki Tuomi <aki.tuomi@open-xchange.com> ha scritto:
auth_mechanisms = plain login digest-md5 cram-md5
You still advertise them though.
Aki
Hello
auth_mechanisms are only for encrypting passwords while authenticating. They have nothing to do with transport encryption aka TLS and STARTTLS.
You only can use CRAM-MD5 when your authentication source provides plain passwords. As you use password hashes in your authentication source, you have to disable it. Else a client will try to send you the CRAM-MD encrypted password, which you can not check for validity.
Hope this clears it a bit.
Kind regards, Christian Mack
On 01.12.21 23:26, absolutely_free@libero.it wrote:
Hi, I wondering if I can simply disable CRAM-MD5 and/or DIGEST-MD5. Are they useful in case of SSL or TLS connections? Thankyou
Il 01/12/2021 18:42 Aki Tuomi <aki.tuomi@open-xchange.com> ha scritto:
auth_mechanisms = plain login digest-md5 cram-md5
You still advertise them though.
Aki
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416
Am 02.12.2021 um 10:11 schrieb Christian Mack:
You only can use CRAM-MD5 when your authentication source provides plain passwords.
And that's the biggest issue with these shared secret authentication mechanisms: that you have to store the passwords unencrypted/unsalted. Never a good idea to store passwords in plain text.
Alexander
participants (4)
-
absolutely_free@libero.it
-
Aki Tuomi
-
Alexander Dalloz
-
Christian Mack