[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'

John Peacock jpeacock at rowman.com
Tue Sep 12 18:30:24 EEST 2006


Jonathan Ballet wrote:
>  - How can it works with nearly the same configuration, using passwd-like files
> instead of pgsql database ?

Actual passwd files use crypt, which includes the seed before the hashed 
value.

> Auth mechanism is set to 'cram-md5', and passwords in the passdb file are
> HMAC-MD5 encrypted passwords (or, if I am wrong somewhere, they are generated by
> 'dovecotpw -s HMAC-MD5' and start with {HMAC-MD5})

I don't see how this can work.  I checked the source code and it seems 
to assume that you have the plaintext password.  I don't have the time 
to trace through the code path to be sure; I help write the AUTH support 
in a SMTP server, so AFAICT you must have both the plaintext password 
and the generated challenge in order to use CRAM-MD5.

> Is there any documentation referencing which password scheme could be used with
> an authentification mechanism ? I thought it was in [1], but I might be wrong.
> 
> So, what are my options, to have encrypted authentication, and encrypted password ?

AIUI, you need to use PLAIN (authentication) over SSL (encrypted) in 
order to have an encrypted password on the server.

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748


More information about the dovecot mailing list