dovecot - Aug 2006 - auth failure with digest-md5

Hi!

I'm using:
Dovecot 1.0.beta8
OpenBSD 3.9
KMail 1.9.3


My password file contains only one user now. I've changed its password 
to a dumb one: 'asd' (so this is not a wrong password failure :)

I've configured the PLAIN and DIGEST-MD5 mechanisms in dovecot.conf, and 
I'm only using pop3.
Also I've turned on the verbose auth logging, and I'm attaching the logs
inline. My password db contains the {DIGEST-MD5} prefixed password.
The problem is very simple but very weird.
I start the dovecot server and try to log in.
It succeeds, I'm happy.
But after one (the first) success, all further logins fails. Yes this a 
sometimes working/sometimes not problem, which is rare in this 
business...

Here is the log of the first success:

00:48:41 Info: auth(default): client in: AUTH 1 DIGEST-MD5 service=POP3 
secured lip=192.168.0.202 rip=192.168.0.3 resp<newline>
00:48:41 Info: auth(default): client out: CONT   1 
cmVhbG09IiIsbm9uY2U9ImJua2tUaHBDVURJblFENWRJZlgyb1E9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI<newline>
00:48:41 Info: auth(default): client in: CONT   1       
dXNlcm5hbWU9ImxldmEiLHJlYWxtPSIiLG5vbmNlPSJibmtrVGhwQ1VESW5RRDVkSWZYMm9RPT0iLGNub25jZT0iTy9MYndLMVo1dWc4ZURiT2wzaWlhN2ZsTUVTV3MvN1JSc05HL3JPbzhpND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InBvcC8xOTIuMTY4LjAuMjAyIixyZXNwb25zZT0wYTQ3ZmUyNmVlMDg0MWE4ZDgzNTM3NzI5MzUxZmE3YQ=<newline>
00:48:41 Info: auth(default): client out: CONT  1 
cnNwYXV0aD01MmQ1YTRlNTVhNWNiYzA0NDk2YTg5ODcyMDMwMGUxYw=<newline>
00:48:41 Info: auth(default): client in: CONT   1
<newline>
00:48:41 Info: auth(default): client out: OK    1       user=username
<newline>
00:48:41 Info: auth(default): master in: REQUEST 9 15718   1
<newline>
00:48:41 Info: auth(default): master out: USER  9 username uid=6000 
gid=6000 home=/var/mail/virtual/username/./
<newline>
00:48:41 Info: pop3-login: Login: user=<username>, method=DIGEST-MD5, 
rip=192.168.0.3, lip=192.168.0.202, TLS
<newline>
00:48:41 Info: POP3(username): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0


And after that, every login fails:

00:49:28 Info: auth(default): client in: AUTH 1 DIGEST-MD5 service=POP3 
secured lip=192.168.0.202 rip=192.168.0.3 
resp=dXNlcm5hbWU9ImxldmEiLHJlYWxtPSIiLG5vbmNlPSJibmtrVGhwQ1VESW5RRDVkSWZYMm9RPT0iLGNub25jZT0iTy9MYndLMVo1dWc4ZURiT2wzaWlhN2ZsTUVTV3MvN1JSc05HL3JPbzhpND0iLG5jPTAwMDAwMDAyLHFvcD1hdXRoLGRpZ2VzdC11cmk9InBvcC8xOTIuMTY4LjAuMjAyIixyZXNwb25zZT0wMWRkMDNjYTcyMzBmMzM5YjRiY2NlM2VmMTcwMGU4Yw=<newline>
00:49:28 Info: pop3-login: Aborted login: method=DIGEST-MD5, 
rip=192.168.0.3, lip=192.168.0.202, TLS
<newline>
00:49:28 Info: auth(default): passwd-file /etc/dovecot.passwd: Read 1 
users


I can notice that the second (the failure) log is shorter than the first 
(the success). Maybe something is missing from there.

The PLAIN auth mechanism is working, even after a failed DIGEST-MD5 
login. In fact the PLAIN login always works :)

Thanks!

Daniel

-- 
LeVA

On 18.8.2006, at 2.44, LeVA wrote:

..
> 00:49:28 Info: auth(default): client in: AUTH 1 DIGEST-MD5  
> service=POP3
> secured lip=192.168.0.202 rip=192.168.0.3
> resp=dXNlcm5hbWU9ImxldmEiLHJlYWxtPSIiLG5vbmNlPSJibmtrVGhwQ1VESW5RRDVkS 
> WZYMm9RPT0iLGNub25jZT0iTy9MYndLMVo1dWc4ZURiT2wzaWlhN2ZsTUVTV3MvN1JSc05 
> HL3JPbzhpND0iLG5jPTAwMDAwMDAyLHFvcD1hdXRoLGRpZ2VzdC11cmk9InBvcC8xOTIuM 
> TY4LjAuMjAyIixyZXNwb25zZT0wMWRkMDNjYTcyMzBmMzM5YjRiY2NlM2VmMTcwMGU4Yw= 
> > <newline>
> 00:49:28 Info: pop3-login: Aborted login: method=DIGEST-MD5,
> rip=192.168.0.3, lip=192.168.0.202, TLS
> <newline>
> 00:49:28 Info: auth(default): passwd-file /etc/dovecot.passwd: Read 1
> users
Does this contain only the "info" lines and no error lines? 1.0beta9  
fixed this problem:

         - DIGEST-MD5: Trying to use subsequent authentication crashed
           dovecot-auth.

I think that's your problem. The logs should have said that dovecot- 
auth crashed though.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060818/06e0957f/attachment.bin>

Tere.


I'm using latest Dovecot with system (Debian Sarge) quota on /home, and
custom default_mail_env
maildir:%h/Maildir:INDEX=/var/spool/dovecot/index/%u:CONTROL=/var/spool/dovecot/control/%u

However as the Dovecot includes own Maildir quota, I'm curios to know is
this working fine now? If yes, then how should i migrate it from current
settings to the Dovecot -s own Maildir quota?

-- 
Mart

2006. August 18. 01:52, Timo Sirainen:
> On 18.8.2006, at 2.44, LeVA wrote:
>
> ..
>
> > 00:49:28 Info: auth(default): client in: AUTH 1 DIGEST-MD5
> > service=POP3
> > secured lip=192.168.0.202 rip=192.168.0.3
> > resp=dXNlcm5hbWU9ImxldmEiLHJlYWxtPSIiLG5vbmNlPSJibmtrVGhwQ1VESW5RRD
> >VkS
> > WZYMm9RPT0iLGNub25jZT0iTy9MYndLMVo1dWc4ZURiT2wzaWlhN2ZsTUVTV3MvN1JS
> >c05
> > HL3JPbzhpND0iLG5jPTAwMDAwMDAyLHFvcD1hdXRoLGRpZ2VzdC11cmk9InBvcC8xOT
> >IuM
> > TY4LjAuMjAyIixyZXNwb25zZT0wMWRkMDNjYTcyMzBmMzM5YjRiY2NlM2VmMTcwMGU4
> >Yw= > > <newline>
> > 00:49:28 Info: pop3-login: Aborted login: method=DIGEST-MD5,
> > rip=192.168.0.3, lip=192.168.0.202, TLS
> > <newline>
> > 00:49:28 Info: auth(default): passwd-file /etc/dovecot.passwd: Read
> > 1 users
>
> Does this contain only the "info" lines and no error lines?
1.0beta9
> fixed this problem:
>
>          - DIGEST-MD5: Trying to use subsequent authentication
> crashed dovecot-auth.
>
> I think that's your problem. The logs should have said that dovecot-
> auth crashed though.
This is the whole log, not only the info, no crashes in the log file 
(and nor in the real life :).

Thanks for the pointer, I'm looking forward to install a recent version, 
until then I just use TLS+Plain Text.

Daniel

-- 
LeVA

> ..
> > 00:49:28 Info: auth(default): client in: AUTH 1 DIGEST-MD5  
> > service=POP3
> > secured lip=192.168.0.202 rip=192.168.0.3
> >
> >[...] 
> > rip=192.168.0.3, lip=192.168.0.202, TLS 
> > <newline>
> >00:49:28 Info: auth(default): passwd-file /etc/dovecot.passwd: Read 1
> > users
> Does this contain only the "info" lines and no error lines?
1.0beta9
> fixed this problem:
> 
>          - DIGEST-MD5: Trying to use subsequent authentication crashed
>            dovecot-auth.
> 
> I think that's your problem. The logs should have said that dovecot- 
> auth crashed though.
The problem solved due to the upgrade, thanks!

Daniel

-- 
LeVA

On 3.12.2010, at 8.36, Mart Pirita wrote:
> RedHat 9 based distro, 2.6.24.2 kernel, OpenSSL 1.0.0a 1 Jun 2010
Hmm. v1.0.0a, really?..
>
/usr/src/redhat/BUILD/dovecot-1.2.16/src/login-common/ssl-proxy-openssl.c:950:
undefined reference to `OpenSSL_add_all_algorithms'
I just hate OpenSSL. You can comment out that line from the code until I figure
out what to do about this. That function was supposed to have existed since
forever in OpenSSL. Or did the compiling log any warnings?

Timo Sirainen kirjutas:
>> CPPFLAGS=-I/usr/local/ssl/include/openssl
> Try -I/usr/local/ssl/include
>
Well, Timo - You did it again, small thing, but nobody, except You noticed.

With:
export CPPFLAGS
export LDFLAGS

CPPFLAGS=-I/usr/local/ssl/include
LDFLAGS=-L/usr/local/ssl/lib

1.2.16 from original (ssl-proxy-openssl.c:950 line is active) compiled 
fine, and also runs fine with openssl-0.9.8p (previous good one was 
openssl-0.9.8l).

Again, thank You and Your patience.

P.S. Maybe some hint into wiki about it would be good?

-- 
Mart