[Dovecot] APOP and CRAM-MD5 in checkpassword module

[Ben Schumacher]

On 6/25/07, John Peacock <jpeacock at rowman.com> wrote:
> Ben Schumacher wrote:
> > I would like to see this, too. After digging through the code some, it
> > seems that the major sticking point is that dovecot would prefer to do
> > the CRAM-MD5 internally and therefore expects to have access to the
> > password in plaintext and doesn't pass the timestamp on to
> > checkpassword...
>
> There is no way to use CRAM-MD5 without having the password stored in
> plaintext locally; it is a design "feature" since the hash is calculated
> using a different server key every time.

The problem is not that the passwords aren't stored locally in
plaintext, it's that the mechanism for providing that information to
dovecot is not there with checkpassword authentication. checkpassword
expects to receive the 3 pieces of information it needs to perform
this style of authentication -- username, hash and timestamp (or a
"challenge string" -- which is generally a timestamp). This somewhat
conflicts with dovecot's authentication system, which expects to have
all the necessary authentication information internally and is not
design (not willing?) to trust a checkpassword-style authentication
mechanism to peform CRAM-MD5 authentication and therefore only offers
PLAIN as an option to clients.

Likely this change would require some tweaks to configuration as it
would mean that dovecot would need to be configured to know which
authentication mechanism the checkpassword system offered, but I still
think it'd be a better situation than to simply not be able to use
CRAM-MD5 if checkpassword is enabled.

Cheers,
Ben