[Dovecot] auth failure

Brian Candler B.Candler at pobox.com
Fri Jun 11 14:35:03 EEST 2004


On Fri, Jun 11, 2004 at 07:11:01AM -0400, Tom Allison wrote:
> I can use telnet 143 to authenticate using plaintext
> ". login username secret"
> but sniffit shows my password as garbled up stuff when I send a password 
> through mozilla.  Is this a feature of sniffit, mozilla, or what?

I don't know sniffit. What exactly does it show? If it shows

xxx login username yyy
then yyy *is* the cleartext password. If it shows

xxx authenticate foo
yyyyyyy

then yyyyyyy is base64-encoded authentication data (but trivially decoded in
the case where foo is 'PLAIN' or 'LOGIN')

I'd just try "tcpdump -i eth0 -n -s1500 -X tcp port 143" and look at the raw
packets.

> I'm trying to set up SSL, but I'm not sure it will behave well.  Last 
> time I tried this, I had a consistent feature of my SSL connection 
> warning me that my certificate was crap because it wasn't signed 
> properly (I didn't pay Thawte/Verisign to let me read my email).

Well, that's correct, because the whole SSL security model depends on the
presence of a trusted third-party to vouch for encryption keys. There's a
presentation with a brief overview here:
http://www.ws.afnog.org/afnog2004/t1/security/crypto-slides.pdf 

But you can always set up your own Certificate Authority and manually
install your CA root certificate into your client. That will silence the
messages and maintain security.

> I'll work on SSL over the weekend, but I know I can connect now with 
> plaintext.  It's only allowing connections from my subnet A to subnet B 
> and localhost so it's not as bad as 99.9% of the pop servers out there 
> (or am I wrong on that too?).

IMAP and POP are essentially the same as regards authentication. They both
have plain logins (LOGIN or USER/PASS), they both have SASL logins
(AUTHENTICATE or AUTH), SASL logins could also be plaintext (PLAIN or
LOGIN), and they can optionally run over SSL (either on a different port,
or using STARTTLS or STLS)

Regards,

Brian.



More information about the dovecot mailing list