[dovecot] Re: Some experiences

Amelia A.Lewis amyzing at talsever.com
Sun Jan 5 13:44:30 EET 2003 

Quick replies from the man who knows!  Thanks, Timo!

A request for clarification ...

On 05 Jan 2003 11:32:25 +0200 Timo Sirainen <tss at iki.fi> wrote:

> On Sun, 2003-01-05 at 06:46, Amelia A.Lewis wrote:
> I think Outlook supported only NTLM besides the plaintext auth. There's
> specs for it now so it would be possible to be supported too.

If I could think of a way to break outlook without breaking other
windows clients, I'd do it.  As a service to the community (reduction of
virus infections).  But prolly you want to be compatible.

> > I therefore tried md5 passwords in a passwd-file, with STARTTLS
> > enabled.  Didn't work.  I turned off SSL, and reenabled plain-text,
> > and watched the login go by.  Very sniffable, of course.  But correct
> > username and password ... failed.  There are instructions for creating
> > digest-md5 style secrets in auth.txt, but none for md5 passwords; I
> > used openssl passwd -1 [password] (and cut and paste).  It seems odd
> > to me that this didn't work; does that command use a different
> > algorithm than dovecot?
> 
> It uses different algorithm, although Dovecot could be made to support
> that too.. The Dovecot's algorithm is very simple and is compatible with
> pwdfile PAM module, it's simply the MD5 sum of a given text, eg:
> 
> perl -MDigest::MD5 -e 'print Digest::MD5::md5_hex("pass")."[34]\n"'
> 
> Digest-MD5 passwords should probably rather be used so that could be
> used also by people who can. The description was a bit broken it seems,
> for plaintext authentication it works only if the realm is empty, so
> this should work:
> 
> perl -MDigest::MD5 -e 'print Digest::MD5::md5_hex("user::pass")."[56]\n"'

Okay.  In other words, any of the three password styles will work with
plaintext auth and no realm?

And digest-md5 with no realm can be used both in plaintext, and in
digest-md5 (making sure that dovecot.conf has an empty realms list)?

If the latter is true, I think that that's what I want to do ....

I think some clarifications to auth.txt might be in order; perhaps I'll
write some bits and offer the diff?  Or the modified file?

> Maybe I should consider anyway using Cyrus SASL library, at least
> optionally. Would make life so much easier :) Everyone keeps wanting
> LDAP and MySQL and whatever support, but I'd rather concentrate on the
> IMAP side for now.

I *like* your focus.  I like dovecot and its ease of setup very much. 
If lots of features are addded, then complexity is likely to rise ... in
that case, perhaps the postfix pattern of config files would be worth
emulating?  Because basic postfix configuration remains simple; certain
sorts of more complex configuration (like virtual alias domains and
virtual mailbox domains) live in their own files, referenced from main,
but documented separately.

I'm unthrilled with the current state of SASL; it seems to be in flux
between version 1.5 and version 2.1, which are not mutually compatible
(I'm pretty sure that this is why mutt doesn't do digest-md5 on my
system).  That will eventually get straightened out, I'm sure.  But the
current state of auth in dovecot seems to allow most things that SASL
might offer, so perhaps it isn't yet worth the hassle of linking.

Amy!
-- 
Amelia A. Lewis                    amyzing {at} talsever.com      alicorn at mindspring.com
I stopped by the bar at 3 a.m. to seek solace in a bottle, or possibly
a friend.  I woke up with a headache like my head against a board, twice
as cloudy as I'd been the night before.  I went in seeking clarity.
                -- Indigo Girls

More information about the dovecot mailing list