[Dovecot] SSHA512 auth not working

Marcin Czupryniak martino87rm at gmail.com
Tue Apr 16 04:54:15 EEST 2013


I'm trying to configure SSHA512 passwords and when testing discovered 
that they were not working as expected.
At first i was using Centos 6.4 which doesn't have the glibc CRYPT 
newest functions ($6$salt$pass) so had to rollback to the Dovecot format 
({SSHA512.HEX}saltedpassword+salt ) but I'm unable to let dovecot 
authenticate properly.

Some logs and details:

Apr 16 02:55:37 auth: Debug: client in: AUTH    1       PLAIN 
service=imap    lip=xxx       rip=xxx      lport=143 rport=58171     
resp=AGRpbm9AYWJjLml0AGRpbm8=
Apr 16 02:55:37 auth: Debug: sql(dino at abc.it,xxxx): query: SELECT 
'{SSHA512.HEX}' || password as password FROM mailboxes WHERE 
fullusername='dino at abc.it'
Apr 16 02:55:37 auth: Info: sql(dino at abc.it,xxxx): Password mismatch 
(given password: dino)
Apr 16 02:55:37 auth: Error: md5_verify(dino at abc.it): Not a valid 
MD5-CRYPT or PLAIN-MD5 password
Apr 16 02:55:37 auth: Warning: Invalid OTP data in passdb
Apr 16 02:55:37 auth: Warning: Invalid OTP data in passdb
Apr 16 02:55:37 auth: Debug: sql(dino at abc.it,xxxx): SSHA512.HEX(dino) != 
'd449914d83c85a786bcde7114b3dfdb24a651c27956388ac641d46eaf40c86e7c95ce2534348730475c8893eab314af189b3a46bf6d76b82cfba119e920813a531e985acd35c47ca8d3cafe50b595b66'
Apr 16 02:55:39 auth: Debug: client out: FAIL   1 user=dino at abc.it


Full password as taken from database: 
{SSHA512.HEX}d449914d83c85a786bcde7114b3dfdb24a651c27956388ac641d46eaf40c86e7c95ce2534348730475c8893eab314af189b3a46bf6d76b82cfba119e920813a531e985acd35c47ca8d3cafe50b595b66

The first 128 chars are the salted password, remaining 32 the salt (hex 
uuid representation)

I've checked twice that the generated passwords are correct, in fact if 
you salt the password (dino) you get the exact 128chars as in the stored 
password but dovecot compares the full password with the salt (160 
chars), is this correct?

Any ideas?


More information about the dovecot mailing list