[Dovecot] Using pgsql with 'cram-md5 auth' and 'hmac-md5 scheme'

[John Peacock]

John Peacock wrote:
> I don't see how this can work.  I checked the source code and it seems 
> to assume that you have the plaintext password.  I don't have the time 
> to trace through the code path to be sure; 

Actually, this bugged me, so I did trace it through.  It appears that 
dovecotpw generates the hash by hashing the password with itself.  What 
happens is that the client sends the password as plaintext, and then 
dovecot sees that the passdb file includes the {HMAC-MD5} in the 
password field, hashes the plaintext password with itself, and finally 
compares it with the stored value.

So, it looks like the way to set this up is:

# get your certificates in place
protocols = imaps
disable_plaintext_auth = no

auth default {
   mechanisms = plain
   passdb passwd-file {
     args = /etc/dovecot/userdb.deny
     deny = yes
   }
   passdb passwd-file {
     args = /etc/dovecot/userdb
   }
   userdb passwd-file {
     args = /etc/dovecot/userdb
   }
   user = root
}

and then add your database to the list of passdb's, with the value 
{HMAC-MD5}xxxxxxxxxxxxxxxxx as the contents of the password field.

HTH

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748