dovecot - Jun 2004 - auth failure

well, with some help I've made a fair amount of progress on my box.
It's working out much easier than I had anticipated and perhaps my notes 
will be useful some day.

I have two questions...

Here is where I am:

cling:~# egrep -v "^($|\#)" /etc/dovecot.conf
protocols =  imap imaps
login = imap
login_max_processes_count = 16
login = pop3
max_mail_processes = 512
verbose_proctitle = yes
default_mail_env = maildir:~/Maildir
mailbox_check_interval = 1
auth = default
auth_mechanisms = plain
auth_passdb = pgsql /etc/dovecot-pgsql.conf
auth_user = root
auth_verbose = yes

cling:~# egrep -v "^($|\#)" /etc/dovecot-pgsql.conf
connect = dbname=dbmail user=dbmail_reader password=SECRET
default_pass_scheme = PLAIN-MD5
password_query = SELECT passwd AS password FROM users WHERE userid =
'%u'

I've created working passwords using 'mkpasswd --hash=md5'
and plugged the results into my database.

I can login and everything looks pretty cool.

Except, as near as I can tell, I'm sending plaintext authentication over 
the wire.  My best guess is that my password gets munged into digest-md5 
format before it goes over the wire.

At this point I'm of the opinion that I'm reasonably secure.
True so far?


My guess is that the next step in security is to go for imaps and ssl 
configuration.  But my debian installation doesn't appear to have the 
dovecot-openssl.cnf file referenced in the configuration.txt file.

Is this missing from dovecot or am I looking at a debian problem?

> My guess is that the next step in security is to go for imaps and ssl
> configuration.  But my debian installation doesn't appear to have the
> dovecot-openssl.cnf file referenced in the configuration.txt file.
> Is this missing from dovecot or am I looking at a debian problem?
No debian neither dovecot problem.

protocols =  imap imaps
Be sure to have certificate for dovecot (Debian should create a default one)
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

I prefer to split up the pem file into crt and key and to use one of my
own certificates created with my CA, but you can also buy one... if you
like (verisign, thawte)
ssl_cert_file = /etc/ssl/certs/my_own_cert.crt
ssl_key_file = /etc/ssl/private/my_own_private.key
Check if the port does accept connection and if you can see the certificate:
openssl s_client -connect localhost:993 (imaps port)
That should do it.
(you bitch! ;-))

On Thu, Jun 10, 2004 at 09:36:48PM -0400, Tom Allison
wrote:
> I've created working passwords using 'mkpasswd --hash=md5'
...
> I can login and everything looks pretty cool.
> 
> Except, as near as I can tell, I'm sending plaintext authentication
over
> the wire.  My best guess is that my password gets munged into digest-md5 
> format before it goes over the wire.
Those two sentences contradict.

I think you mean you're sending plaintext passwords over the wire; when
received at the server they are MD5-hashed, and compared with the hashed
passwords in your database.

You can check this with tcpdump, dsniff etc.
> At this point I'm of the opinion that I'm reasonably secure.
> True so far?
Depends on your definition of "secure".

Unless running over SSL, you are not secure against sniffers, who can easily
see and re-use your passwords. However someone who breaks into your server
will not have a full table of cleartext passwords, only the hashes. That
means they have to do some work (a dictionary attack) to recover the
passwords. Mind you, given most people's password habits, they'll
probably
recover 80% of the passwords within seconds anyway.

Brian.