HELP: wrinting dovecot-sql.conf to authenticate to an existing database

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 7 Jul 2015, Filippo Zeus wrote:

> I have a database "egroupware" with table "egw_accounts". The field "account_lid" is the full email address and "account_pwd" is the password in Blowfish format.
>
> Here is my dovecot-sql.conf
>
> driver = mysql
> connect = host=localhost dbname=egroupware user=egroupware password=*********
> default_pass_scheme = BLF-CRYPT
> password_query = SELECT account_pwd AS password FROM egw_accounts WHERE account_lid = '%u'
>
> Error: sql(hidden at mydomain.com,::1): Invalid password in passdb: crypt() failed: Invalid argument
> auth: Debug: client passdb out: FAIL#0111#011user=hidden at mydomain.com
> dovecot: pop3-login: Debug: Ignoring unknown passdb extra field:
>
> I think I'm having trouble with the password value that is stored in the account_pwd as:
>
> {crypt}$2a$12$XTAolzXgwMC211MuZELQUedPv9tjZNs7Osh97PnZ50pAKuk3WPGmS
>
> Reading at http://wiki2.dovecot.org/Authentication/PasswordSchemes
>
> I suppose that the heading "{crypt}$2a$" instead of a simple "$2a$" (witch identifies a Blowfish password) is my problem.

Hmm, did you tried simple string replacement?

password_query = SELECT replace(account_pwd, '{crypt}', '{BLF-CRYPT}') AS 
password FROM egw_accounts WHERE account_lid = '%u'

Also, did you've read:

http://wiki2.dovecot.org/Authentication/PasswordSchemes

"BLF-CRYPT: This is the Blowfish crypt (bcrypt) scheme. It is generally 
considered to be very secure. The encrypted password will start with $2a$ 
(Note: bcrypt is not available on most Linux distributions)"

Did you've tried:

doveadm pw -s BLF-CRYPT

to verify if your system supports Blowfish at all?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVZy4jHz1H7kL/d9rAQIuGAgApTmCyW2uU16+cDRCHjjqhcUQrPwCSELm
Bh9MFs9K5Lsx1JmMYZbwg9kVhnKTiJ1MjUB1oCYTQIN4cJvQv28jpfSseQWGWx7z
4H04Xn5hD6F2U7J69g3IQoaA5XiiJITKrihAfTkFy9QrGQcAc/Mjl2aGMeA6Aghq
0gHiFCmKtFyrp0n8GwDvzGuXdAeY1OeSlM/OSqNkemtaCBJBZ940lOwv7Ldw4xGC
rP3fDPnqbh1h5rfDS11XoSvlfXMimTU73s9wkw0Pr0cnSkdE5/95PDJ9SozD/0hu
AC2+0LxnV0Jzl2uB9sJ1OuH0/HOezz5U0ba0KuU/qYdg/wFCqD1liQ==
=52bK
-----END PGP SIGNATURE-----