[Dovecot] dovecot.conf: mechanisms = plain login cram-md5 | Windows Live Mail: CRAM-MD5 authentication failed. This could (NOT) be due to a lack of memory on your system

Sun Aug 8 07:39:55 EEST 2010

On 8/7/2010 11:38 PM, Gary V wrote:
> On 8/7/10, Jerrale G wrote:
>    
>> /etc/dovecot.conf:
>>
>> auth default {
>> mechanisms=plain login cram-md5
>>         passdb {
>> #..............
>>
>> Windows Live Mail:
>> CRAM-MD5 authentication failed. This could be due to a lack of memory on
>> your system.
>> Your IMAP command could not be sent to the server, due to non-network
>> errors. This could, for example, indicate a lack of memory on your system.
>>
>> Configuration:
>>    Account: Sheltoncomputers (testuser)
>>    Server: mail.sheltoncomputers.com
>>    User name: testuser at sheltoncomputers.com
>>    Protocol: IMAP
>>    Port: 993
>>    Secure(SSL): 1
>>    Code: 800cccdf
>>
>> The console I'm using is 4 GB ram; so, this dumb error of windoze dead mail
>> is irrelevant. The other mechanisms of TLS/no tls plain login work fine. The
>> passwords are stored in mysql as md5(password) but this works on others not
>> using cram-md5 (secure login of the client). I'm trying to support a
>> plethora of mechanisms for the convenience of the customer and .
>>
>> Jerrale G.
>> Senior Admin
>>
>>      
> I'm no expert, but if I'm not mistaken, cram-md5 requires a plain text
> shared secret. I quote from
> http://www.sendmail.org/~ca/email/cyrus2/components.html:
>
> "Shared Secret Mechanisms - For these mechanisms, such as CRAM-MD5,
> DIGEST-MD5, and SRP, there is a shared secret between the server and
> client (e.g. a password). However, in this case the password itself
> does not travel on the wire. Instead, the client passes a server a
> token that proves that it knows the secret (without actually sending
> the secret across the wire). For these mechanisms, the server
> generally needs a plaintext equivalent of the secret to be in local
> storage (not true for SRP)."
>
> The auth default section of my dovecot.conf looks like:
>
> auth default {
>    mechanisms = plain login cram-md5
>    passdb sql {
>      args = /etc/dovecot/dovecot-sql.conf
>    }
>    passdb sql {
>      args = /etc/dovecot/dovecot-crammd5.conf
>    }
>    userdb sql {
>      args = /etc/dovecot/dovecot-sql.conf
>    }
>    user = root
>    socket listen {
>      master {
>        path = /var/run/dovecot/auth-master
>        mode = 0600
>        user = vmail
>      }
>      client {
>        path = /var/spool/postfix/private/auth
>        mode = 0660
>        user = postfix
>        group = postfix
>      }
>    }
> }
>
>
> With an /etc/dovecot/dovecot-crammd5.conf that might look something like this:
>
> driver = mysql
> connect = host=127.0.0.1 dbname=postfix user=postfix password=password
> default_pass_scheme = PLAIN
> password_query = SELECT clear AS password FROM mailbox WHERE username
> = '%u' AND active = '1'
>
> With an added field to store a plain text password (I called it "clear").
>
>    
I guess I was just wondering how I had the md5 in mysql working and I'm 
aware of the salt sometimes required for md5 but only digest-md5. I 
realized I had guessed correctly on initial setup to have, in 
mysql.conf, default_pass_scheme = MD5 ; I incorrectly thought cram-md5 
had to be as one of the auth default mechanisms to read md5 from mysql 
correctly.

I guess I need to create a new "auth crammd5 {}" and setup mysql to have 
the current password field to bet a function of the new clear field, 
automatically creating the md5 from the clear password field. I will use 
default_password_scheme=CLEAR, fetch from the clear, and setup 
dovecot.conf auth crammd5 with the settings you suggested.

Thanks,

J. G.