dovecot - Oct 2006 - CRAM-MD5 auth broken with postgresql passdb?

I'm currently experiencing a problem which has already been described
by Jonathan in http://www.dovecot.org/list/dovecot/2006-August/015501.html

If I use CRAM-MD5 auth with passwd-file as a backend (Thunderbird
client) everything works fine (MD5-hashes have been shortened for
readability):

dovecot: auth(default): password(bob at foo.bar,10.0.0.123): Credentials:
f12c884ba3cc82..
dovecot: imap-login: Login: user=<bob at foo.bar>, method=CRAM-MD5,
rip=10.0.0.123, lip=10.0.0.234

My passwd file contains a line like this:

bob at foo.bar:{HMAC-MD5}f12c884ba3cc82..

If I change to postgresql-based passdb, PLAIN auth works (!) and
CRAM-MD5 does not work:

dovecot: auth(default): sql(bob at foo.bar,10.0.0.123): query: SELECT
'bob at foo.bar' AS user, '{HMAC-MD5}f12c884ba3cc82..' AS
password
dovecot: auth(default): password(bob at foo.bar,10.0.0.123): Credentials:
dovecot: auth(default): cram-md5(bob at foo.bar,10.0.0.123): password mismatch

Please note the ultra-simple SELECT-statement (I've tried other
combinations as well - no success). sql.conf setting is
"default_pass_scheme = HMAC-MD5". Dovecot version 1.0.rc10.

In the postgresql-based example the "Credentials:" variable is empty.
I wonder if this is a bug in dovecot.

Please let me know if you need any further information to resolve this issue.

Thanks,
Chris

(As a side not I still do not understand how CRAM-MD5 auth is able to
work without a plain text password, but that's another story. If it
works with an HMAC-MD5 hash in a passwd-file backend it should work
with the postgresql-db backend as well.)

Muahh, I do not want to annoy anyone with my questions, but I'm still
stuck with this problem. After hours of reading code and mailing lists
I still do not understand why CRAM-MD5 does not work depending on the
storage you use for the passdb.

This has already been discussed in
http://dovecot.org/list/dovecot/2006-September/016051.html
http://www.dovecot.org/list/dovecot/2006-August/015501.html
but ... no solution :-(

It would be really great if someone (Timo?) can drop a few words if

a.) this is not possible by principle
b.) this is a bug in dovecot's code (and will be fixed soon :-) )

Unfortunately my coding skills are not good enough to completely
understand (fix?) the code. Let my know if I can help by other means.

Chris



On 10/24/06, Chris Laif <chris.laif at googlemail.com>
wrote:
> I'm currently experiencing a problem which has already been described
> by Jonathan in http://www.dovecot.org/list/dovecot/2006-August/015501.html
>
> If I use CRAM-MD5 auth with passwd-file as a backend (Thunderbird
> client) everything works fine (MD5-hashes have been shortened for
> readability):
>
> dovecot: auth(default): password(bob at foo.bar,10.0.0.123): Credentials:
> f12c884ba3cc82..
> dovecot: imap-login: Login: user=<bob at foo.bar>, method=CRAM-MD5,
> rip=10.0.0.123, lip=10.0.0.234
>
> My passwd file contains a line like this:
>
> bob at foo.bar:{HMAC-MD5}f12c884ba3cc82..
>
> If I change to postgresql-based passdb, PLAIN auth works (!) and
> CRAM-MD5 does not work:
>
> dovecot: auth(default): sql(bob at foo.bar,10.0.0.123): query: SELECT
> 'bob at foo.bar' AS user, '{HMAC-MD5}f12c884ba3cc82..' AS
password
> dovecot: auth(default): password(bob at foo.bar,10.0.0.123): Credentials:
> dovecot: auth(default): cram-md5(bob at foo.bar,10.0.0.123): password
mismatch
>
> Please note the ultra-simple SELECT-statement (I've tried other
> combinations as well - no success). sql.conf setting is
> "default_pass_scheme = HMAC-MD5". Dovecot version 1.0.rc10.
>
> In the postgresql-based example the "Credentials:" variable is
empty.
> I wonder if this is a bug in dovecot.
>
> Please let me know if you need any further information to resolve this
issue.
>
> Thanks,
> Chris
>
> (As a side not I still do not understand how CRAM-MD5 auth is able to
> work without a plain text password, but that's another story. If it
> works with an HMAC-MD5 hash in a passwd-file backend it should work
> with the postgresql-db backend as well.)
>

On Mon, 2006-10-30 at 09:28 +0100, Chris Laif wrote:
> Muahh, I do not want to annoy anyone with my questions, but I'm still
> stuck with this problem. After hours of reading code and mailing lists
> I still do not understand why CRAM-MD5 does not work depending on the
> storage you use for the passdb.
> 
> This has already been discussed in
> http://dovecot.org/list/dovecot/2006-September/016051.html
> http://www.dovecot.org/list/dovecot/2006-August/015501.html
> but ... no solution :-(
> 
> It would be really great if someone (Timo?) can drop a few words if
> 
> a.) this is not possible by principle
> b.) this is a bug in dovecot's code (and will be fixed soon :-) )
I thought this sounded a bit familiar. It was fixed for LDAP a while
ago. Fix here:

http://dovecot.org/list/dovecot-cvs/2006-November/006661.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20061102/5520f5cc/attachment.pgp