having problems with Argon
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Sep 28 08:59:56 EEST 2018
On 28.09.2018 04:24, Adam Gold wrote:
> Hello everyone. I'm close to completing my first build of a mail
> server - Postfix, Dovecot, Postgres (I know, sounds like overkill),
> Rspamd with Redis and Unbound (please infer a mega lack of experience
> disclaimer). The model is standalone internet with remoted
> sasl-authenticated clients.
>
> Throughout the process I've been having consistent problems with user
> password authentication. Both when I began when I was only using flat
> files and now with pgsql, more often than not my username (full email
> address) and password combo have been rejected. The postfix logs
> started with fairly innocent 'failed login' messages and eventually
> reached the "you don't own this email address, you're a spammer"
> level. Dovecot has been consistent with "auth: Debug: client passdb
> out: FAIL" messages.
>
> Before I looked at this issue specifically, my guess was it came from
> a Postfix restriction but having spent quite a while going through it
> today, I don't think that's where it lies.
>
> Finally I went back to basics and changed an account password to
> {PLAIN}12345 and what do you know - effortless success! Previously
> I'd been using mainly argon, ssha512 sha512-crypt and a few others.
> My passwords are strong (well in excess of 20 characters, 'randomly'
> generated). I spent this afternoon narrowing down the hashes and
> while I haven't finished, the only one I couldn't get to work with
> 12345 was argon.
>
> I also noticed that the wiki says the 2I and 2ID versions of Argon are
> available, doveadm pw always returned a "does not exist" error when I
> tried to use 2ID.
>
> I'm using Dovecot version 2.3.2.1 (0719df592)
>
Hi!
ARGON2ID is present only if dovecot is compiled with ARGON2ID capable
libsodium.
Also, we recently found out that you need to increase auth process vsz
limit if you are using ARGON2 algorithm, otherwise it will sigfault or
return failure due to memory constraints.
service auth {
vsz_limit = 2G # or higher, or 0 for no limit.
}
Aki
More information about the dovecot
mailing list