[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

Yubao Liu yubao.liu at gmail.com
Fri Jan 6 19:29:14 EET 2012 

On 01/07/2012 12:44 AM, Timo Sirainen wrote:
> On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
>
>> I don't know why this function doesn't check auth->masterdbs, if I
>> insert these lines after line 128, that error goes away, and dovecot's
>> imap-login process happily does DIGEST-MD5 authentication [1].
>> In my configuration, "masterdbs" contains "passdb passwd-file",
>> "passdbs" contains " passdb pam".
> So .. you want DIGEST-MD5 authentication for the master users, but not
> for anyone else? I hadn't really thought anyone would want that..
>
I hope users use GSSAPI authentication from native MUA, but RoundCube
webmail doesn't support that, so that I have to use DIGEST-MD5/CRAM-MD5/
PLAIN/LOGIN for authentication between RoundCube and Dovecot, and
let RoundCube login as master user for normal user.

I really don't like to transfer password as plain text, so I prefer 
DIGEST-MD5
and CRAM-MD5 for both auth mechanisms and password schemes. My
last email is partially wrong,  DIGEST-MD5 can't be used for master users
because 'real_user*master_user' is used to calculate digest in IMAP client,
this can't be consistent with digest in passdb because only 'master_user'
is used to calculate digest.

But CRAM-MD5 doesn't use user name to calculate digest,  I just tried it 
successfully
with my rude patch to src/auth/auth.c in my previous email:-)

# doveadm pw -s CRAM-MD5 -u webmail
(use 123456 as passwd)
# cat > /etc/dovecot/master-users
webmail:{CRAM-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada8035dc7d8bae41b
^D

$ gsasl --imap imap.corp.example.com --verbose -m CRAM-MD5 -a 
'dieken*webmail at corp.example.com' -p 123456
Trying `gold.corp.example.com'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5] 
Dovecot ready.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. STARTTLS
. OK Begin TLS negotiation now.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. AUTHENTICATE CRAM-MD5
+ PDM1OTIzODgxNjgyNzUxMjUuMTMyNTg3MDQwMkBnb2xkPg==
ZGlla2VuKndlYm1haWxAY29ycC5leGFtcGxlLmNvbSBkYjRlZWJlMTUwZGZjZjg5NTVkODZhNDBlMGJiZmQzNA==
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT 
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC 
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
Client authentication finished (server trusted)...
Enter application data (EOF to finish):

It's also OK to use "-a 'dieken*webmail'" instead of "-a 
'dieken*webmail at corp.example.com'.

# doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5 cram-md5
auth_realms = corp.example.com
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
first_valid_gid = 1000
first_valid_uid = 1000
mail_debug = yes
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
passdb {
   args = /etc/dovecot/master-users
   driver = passwd-file
   master = yes
}
passdb {
   driver = pam
}
plugin {
   sieve = /srv/mail/%u/.dovecot.sieve
   sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
   unix_listener auth-client {
     group = Debian-exim
     mode = 0660
   }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
   args = home=/srv/mail/%u
   driver = passwd
}
verbose_ssl = yes
protocol lmtp {
   mail_plugins = " sieve"
}
protocol lda {
   mail_plugins = " sieve"
}


Regards,
Yubao Liu

More information about the dovecot mailing list