Matthew Reimer
2003-Nov-12 01:09 UTC
[Dovecot] Problem with DIGEST-MD5 authentication and plaintext passwords
I wasn't able to get DIGEST-MD5 authentication working with passwords stored as plaintext until I tweaked password_generate() to make it not use the domain portion of user at domain.com as the realm. Both evolution and kmail send the email address as the username with no realm; when dovecot tries to convert the username to user + realm, the hash is different and so DIGEST-MD5 authentication fails. Having password_generate() hash user at domain.com::password instead of user:domain.com:password fixes it. I need this to work because I need to support all of PLAIN, CRAM-MD5, and DIGEST-MD5 at the same time. Timo, do you think this is a proper fix, or are kmail and evolution broken? Matt
Timo Sirainen
2003-Nov-16 15:56 UTC
[Dovecot] Problem with DIGEST-MD5 authentication and plaintext passwords
On Wed, 2003-11-12 at 03:09, Matthew Reimer wrote:> I wasn't able to get DIGEST-MD5 authentication working with passwords > stored as plaintext until I tweaked password_generate() to make it not > use the domain portion of user at domain.com as the realm. Both evolution > and kmail send the email address as the username with no realm; when > dovecot tries to convert the username to user + realm, the hash is > different and so DIGEST-MD5 authentication fails. Having > password_generate() hash user at domain.com::password instead of > user:domain.com:password fixes it. I need this to work because I need to > support all of PLAIN, CRAM-MD5, and DIGEST-MD5 at the same time. > > Timo, do you think this is a proper fix, or are kmail and evolution broken?Well .. Looks like most clients don't actually use realms, but I rather wouldn't completely drop support for them which your change would do. Correct fix would be to separate realm and "@domain" handling in code, that should work with both cases. I'll see if I can get that done. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20031116/c959fe5f/attachment-0001.bin>
Maikel Verheijen
2003-Nov-17 07:37 UTC
[Dovecot] Problem with DIGEST-MD5 authentication and plainte xt passwords
For what it's worth: We use postgres userlookups, and use an older version of dovecot (an old cvs version of around 0.99.9.1), and we DO use digest-md5 password encryption in the database and realms. It seems to work flawlessly in our situation, I used kmail, evolution, apple-mail, entourage, outlook, outlook-express and mutt. Have there been changes in the digest-md5 code since 0.99.9.1 ? Kind regards, Maikel Verheijen Ladot Nederland BV. On Nov 16, 2003, at 4:56 PM, Timo Sirainen wrote:> On Wed, 2003-11-12 at 03:09, Matthew Reimer wrote: >> I wasn't able to get DIGEST-MD5 authentication working with passwords >> stored as plaintext until I tweaked password_generate() to make it not > >> use the domain portion of user at domain.com as the realm. Both evolution > >> and kmail send the email address as the username with no realm; when >> dovecot tries to convert the username to user + realm, the hash is >> different and so DIGEST-MD5 authentication fails. Having >> password_generate() hash user at domain.com::password instead of >> user:domain.com:password fixes it. I need this to work because I need > to >> support all of PLAIN, CRAM-MD5, and DIGEST-MD5 at the same time. >> >> Timo, do you think this is a proper fix, or are kmail and evolution > broken? > > Well .. Looks like most clients don't actually use realms, but I rather > wouldn't completely drop support for them which your change would do. > > Correct fix would be to separate realm and "@domain" handling in code, > that should work with both cases. I'll see if I can get that done. >
Matthew Reimer
2003-Nov-17 22:56 UTC
[Dovecot] Problem with DIGEST-MD5 authentication and plaintext passwords
Timo Sirainen wrote:> On Wed, 2003-11-12 at 03:09, Matthew Reimer wrote: > >>I wasn't able to get DIGEST-MD5 authentication working with passwords >>stored as plaintext until I tweaked password_generate() to make it not >>use the domain portion of user at domain.com as the realm. Both evolution >>and kmail send the email address as the username with no realm; when >>dovecot tries to convert the username to user + realm, the hash is >>different and so DIGEST-MD5 authentication fails. Having >>password_generate() hash user at domain.com::password instead of >>user:domain.com:password fixes it. I need this to work because I need to >>support all of PLAIN, CRAM-MD5, and DIGEST-MD5 at the same time. >> >>Timo, do you think this is a proper fix, or are kmail and evolution broken? > > > Well .. Looks like most clients don't actually use realms, but I rather > wouldn't completely drop support for them which your change would do. > > Correct fix would be to separate realm and "@domain" handling in code, > that should work with both cases. I'll see if I can get that done.Thanks Timo. Send me a patch when you're done and I'll test it. Matt