thr3ads.net - dovecot - Authentication Problem [Dec 2018]

If this information is useful, please help other people find it:
Share via:

Odhiambo Washington

2018-Dec-20 09:20 UTC

Authentication Problem

I am using SHA512-CRYPT scheme for passwords.

In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT

In 10-auth.conf, I have:
auth_mechanisms = plain login digest-md5

M$ Outlook is refusing to authenticate, with error: Requested DIGEST-MD5
scheme, but we have only CRYPT

What an I missing??

I hate it that this has taken me round in circles :-)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181220/716f0b63/attachment.html>

Aki Tuomi

2018-Dec-20 10:26 UTC

head link

Authentication Problem

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 20 December 2018 at 11:20 Odhiambo Washington <
    <a
href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    I am using SHA512-CRYPT scheme for passwords.
   </div>
   <div>
    <br>
   </div>
   <div>
    In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT
   </div>
   <div>
    <br>
   </div>
   <div>
    In 10-auth.conf, I have:
   </div>
   <div>
    auth_mechanisms = plain login digest-md5
   </div>
   <div>
    <br>
   </div>
   <div>
    M$ Outlook is refusing to authenticate, with error: Requested DIGEST-MD5
   </div>
   <div>
    scheme, but we have only CRYPT
   </div>
   <div>
    <br>
   </div>
   <div>
    What an I missing??
   </div>
   <div>
    <br>
   </div>
   <div>
    I hate it that this has taken me round in circles :-)
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    --
   </div>
   <div>
    Best regards,
   </div>
   <div>
    Odhiambo WASHINGTON,
   </div>
   <div>
    Nairobi,KE
   </div>
   <div>
    +254 7 3200 0004/+254 7 2274 3223
   </div>
   <div>
    "Oh, the cruft.", grep ^[^#] :-)
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   digest-md5 works only with plain text passwords or stored with output from
doveadm pw -s digest-md5
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

Nikolai Lusan

2018-Dec-20 10:35 UTC

head link

Authentication Problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Greetings
On Thu, 2018-12-20 at 12:20 +0300, Odhiambo Washington
wrote:> I am using SHA512-CRYPT scheme for passwords.
Yeah, there is a reason MD5 has been preferred to crypt for a very long
time now, and the SHA512 isn't really any better.

> In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT
> 
> In 10-auth.conf, I have:
> auth_mechanisms = plain login digest-md5
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^> M$ Outlook is refusing to authenticate, with error: Requested DIGEST-MD5
> scheme, but we have only CRYPT
> What an I missing??

You are not advertising 3 possible auth methods, I am assuming that plain
will use the SQL extension. Unless you are going to setup a digest-md5
method I would remove it from the advertised methods as most clients will
default to a digest method before selecting plain. Unless you control all
the clients and can configure them to only use the plain method of auth (I
would also be ensuring that you have TLS enforced in some way for this)
then removal of the digest method is probably the best fix.

If the plain and/or login methods are failing check your sql config
includes the passdb and userdb sections.

- -- 
Nikolai Lusan <nikolai at lusan.id.au>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlwbcFwACgkQ4ZaDRV2V
L6T7IxAAjTQQfVngYU92oNfORwIeL6e9YZtvlLfo7V6d2PSgnzJ2Tdzyo2YA4AGy
eApc9SoJra8IVzanv+s6yl0BJ/EXez/ugdZ5DEUzYTf7b1AVMnUYOKkCi4HeOzzx
zttLF/Hd5ovwDRB1StNa5c1dsrN5lfwZy/cFwK+zOWwEZDBpYq3/y+IjsbWhCcW1
DVbrSshOUaFqZwRE7MFPHiwsyNxhiG8cciglgUKf5HdRaiwx5E1Xy9gASxaqrdqg
GZpGbI7C8sAr92OvTvZlwThSOM6+aSgGIOATRS9S1Lh9x9H14ya1LtOE9XELSQPl
gDI/HJKBym7D8BsnEPSZ+THRwWGQ6QyACZUN8q5OZMEyzS2AGECnSTYMgv4LjqBZ
VbAaPZBAkhsuzVoWsd4xKiN9Qv3wQykDsSq6yahqiDzTXbsCA8HPMEQvw3hISttq
WHdibiBP8cm2/8cz+8PM1+3Q08JMVRqmDLEIQ61gmg8UWhpCPbE3royBkHaj6wOR
GeK4mG3cwYQu0JsoKDsFr7EvABErVRzrvkiMgnz/ivORkJVVtmxyYmG4t5VIT8FD
Hq6A/c1VJ/GYLNHNWRFMRfiXIJB7fM6K0NWK1EN34QoHNbwb5qSL+c6t/BZ5BpzK
c9zkU31FTqtSabUHzNPje6hzHMi5eZLhcH/MCZhD3Xv5+Gwxdug=LQQ1
-----END PGP SIGNATURE-----

Odhiambo Washington

2018-Dec-20 12:10 UTC

head link

Authentication Problem

You've made this more difficult to understand, even :-)

So the answer is:
Set the following in 10-auth.conf

1.  disable_plaintext_auth = no
2. auth_mechanisms = plain

And yes, the encrypted passwords are stored in MySQL.



On Thu, 20 Dec 2018 at 13:36, Nikolai Lusan <nikolai at lusan.id.au>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Greetings
> On Thu, 2018-12-20 at 12:20 +0300, Odhiambo Washington wrote:
> > I am using SHA512-CRYPT scheme for passwords.
>
> Yeah, there is a reason MD5 has been preferred to crypt for a very long
> time now, and the SHA512 isn't really any better.
>
>
> > In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT
> >
> > In 10-auth.conf, I have:
> > auth_mechanisms = plain login digest-md5
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > M$ Outlook is refusing to authenticate, with error: Requested
DIGEST-MD5
> > scheme, but we have only CRYPT
> > What an I missing??
>
>
> You are not advertising 3 possible auth methods, I am assuming that plain
> will use the SQL extension. Unless you are going to setup a digest-md5
> method I would remove it from the advertised methods as most clients will
> default to a digest method before selecting plain. Unless you control all
> the clients and can configure them to only use the plain method of auth (I
> would also be ensuring that you have TLS enforced in some way for this)
> then removal of the digest method is probably the best fix.
>
> If the plain and/or login methods are failing check your sql config
> includes the passdb and userdb sections.
>
>
> - --
> Nikolai Lusan <nikolai at lusan.id.au>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlwbcFwACgkQ4ZaDRV2V
> L6T7IxAAjTQQfVngYU92oNfORwIeL6e9YZtvlLfo7V6d2PSgnzJ2Tdzyo2YA4AGy
> eApc9SoJra8IVzanv+s6yl0BJ/EXez/ugdZ5DEUzYTf7b1AVMnUYOKkCi4HeOzzx
> zttLF/Hd5ovwDRB1StNa5c1dsrN5lfwZy/cFwK+zOWwEZDBpYq3/y+IjsbWhCcW1
> DVbrSshOUaFqZwRE7MFPHiwsyNxhiG8cciglgUKf5HdRaiwx5E1Xy9gASxaqrdqg
> GZpGbI7C8sAr92OvTvZlwThSOM6+aSgGIOATRS9S1Lh9x9H14ya1LtOE9XELSQPl
> gDI/HJKBym7D8BsnEPSZ+THRwWGQ6QyACZUN8q5OZMEyzS2AGECnSTYMgv4LjqBZ
> VbAaPZBAkhsuzVoWsd4xKiN9Qv3wQykDsSq6yahqiDzTXbsCA8HPMEQvw3hISttq
> WHdibiBP8cm2/8cz+8PM1+3Q08JMVRqmDLEIQ61gmg8UWhpCPbE3royBkHaj6wOR
> GeK4mG3cwYQu0JsoKDsFr7EvABErVRzrvkiMgnz/ivORkJVVtmxyYmG4t5VIT8FD
> Hq6A/c1VJ/GYLNHNWRFMRfiXIJB7fM6K0NWK1EN34QoHNbwb5qSL+c6t/BZ5BpzK
> c9zkU31FTqtSabUHzNPje6hzHMi5eZLhcH/MCZhD3Xv5+Gwxdug> =LQQ1
> -----END PGP SIGNATURE-----
>
>
-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181220/42676fb9/attachment-0001.html>

Possibly Parallel Threads

Search for more reasonably related threads

dovecot - Dec 2018 - Authentication Problem

Authentication Problem

Authentication Problem

Authentication Problem

Authentication Problem

Possibly Parallel Threads