thr3ads.net - dovecot - [Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5 [Jul 2008]

If this information is useful, please help other people find it:
Share via:

Proskurin Kirill

2008-Jul-08 15:39 UTC

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5

Hello all.

Im try to make a SMTP Auth using Docecot SASL.
Im use swaks for tests.

Im store users in LDAP.
As im understand for CRAM & DIGEST MD5 we need to store pass in a clear 
text?... Ok.

mail: admin3 at domain.off
userPassword: 123 <- Clear text


What im do


%swaks -a CRAM-MD5 -au admin3 at domain.off -ap 123
To: admin3 at domain.off
=== Trying mx.domain.off:25...
=== Connected to mx.domain.off.
<-  220 mx.domain.off ESMTP Exim 4.69 Tue, 08 Jul 2008 19:14:24 +0000
  -> EHLO mx.domain.off
<-  250-mx.domain.off Hello mx.domain.off [172.16.1.19]
<-  250-SIZE 13631488
<-  250-PIPELINING
<-  250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
<-  250-STARTTLS
<-  250 HELP
  -> AUTH CRAM-MD5
<-  334 PDM4ODYwNTQ1MjEzMTA3NDEuMTIxNTU0NDQ2NEBteC5kb21haW4ub2ZmPg=  ->
YWRtaW4zQGRvbWFpbi5vZmYgMGJlYzIzOTA5Zjg4OTc3MDdkYTJmZmNmOTEzMDBhMmM<** 535
Incorrect authentication data
*** No authentication type succeeded
  -> QUIT
<-  221 mx.domain.off closing connection
=== Connection closed with remote host.


Exim says:

SMTP<< AUTH CRAM-MD5
  9657 dovecot authentication
  9657 AUTH      12      CRAM-MD5        service=smtp    secured 
rip=172.16.1.19 lip=172.16.1.19 resp  9657 received: CONT    12 
PDM0MTMzMjg1NTUyOTE0MjMuMTIxNTU0NDcwMUBteC5kb21haW4ub2ZmPg=  9657 SMTP>>
334
PDM0MTMzMjg1NTUyOTE0MjMuMTIxNTU0NDcwMUBteC5kb21haW4ub2ZmPg=  9657 received: FAIL
12      user=admin3 at domain.off
  9657 SMTP>> 535 Incorrect authentication data
  9657   auth_cram_md5 authenticator failed for mx.domain.off 
[172.16.1.19] I=[172.16.1.19]:26: 535 Incorrect authentication data 
(set_id=admin3 at domain.off)
  9657 SMTP<< QUIT


Dovecot logs:

Info: auth(default): new auth connection: pid=9713
Info: auth(default): client in: AUTH   11      CRAM-MD5 
service=smtp    secured rip=172.16.1.19 lip=172.16.1.19 resp=<hidden>
Info: auth(default): client out: CONT  11 
PDU5MjUzNjc0Mjg1NDAyNjUuMTIxNTU0NDkyN0BteC5kb21haW4ub2ZmPg=Info: auth(default):
client in: CONT<hidden>
Info: auth(default): ldap(admin3 at domain.off,172.16.1.19): pass search: 
base=dc=Virtual-Domains,dc=DOMAIN scope=subtree 
filter=(&(objectClass=mailUser)(mail=admin3 at domain.off)) 
fields=mail,userPassword
Info: auth(default): ldap(admin3 at domain.off,172.16.1.19): result: 
mail(user)=admin3 at domain.off userPassword(password)=<hidden>
Error: auth(default): password(admin3 at domain.off,172.16.1.19): Invalid 
password format for scheme CRAM-MD5
Info: auth(default): client out: FAIL  11      user=admin3 at domain.off

---
password(admin3 at domain.off,172.16.1.19): Invalid password format for 
scheme CRAM-MD5

Hm... as im see - something wrong in my dovecot-ldap.conf ?
Main idea of it is mail = user, userPassword = password.


dovecot-ldap.conf:

hosts = 127.0.0.1
dn = uid=Dovecot,ou=System-Users,dc=DOMAIN
dnpass = 123
debug_level = 0
ldap_version = 3
base = dc=Virtual-Domains,dc=DOMAIN
deref = never
scope = subtree
user_attrs user_filter = (&(objectClass=mailUser)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailUser)(mail=%u))
default_pass_scheme = CRAM-MD5


Dovecot logs with debug_level=1 in attachment.


Help me please - I running out of ideas. :-(

-- 
Best regards,
Proskurin Kirill
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug.txt
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080708/944ad1a1/attachment-0002.txt>

Chris Laif

2008-Jul-08 21:59 UTC

head link

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5

On Tue, Jul 8, 2008 at 5:39 PM, Proskurin Kirill <k.proskurin at
fxclub.org> wrote:>
> Error: auth(default): password(admin3 at domain.off,172.16.1.19): Invalid
password format for scheme CRAM-MD5
>
> dovecot-ldap.conf:
> default_pass_scheme = CRAM-MD5
>
Set default_pass_scheme to PLAIN as you store passwords in plain text.

For improved security, store the passwords in HMAC-MD5-format.

For CRAM-MD5 auth you do not need to store the password in PLAIN
format. It is ok to store the password in HMAC-MD5 format.

For DIGEST-MD5 you need to store the pass in PLAIN format.

Chris

Proskurin Kirill

2008-Jul-09 06:47 UTC

head link

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5 [SOLVED]

Chris Laif wrote:> On Tue, Jul 8, 2008 at 5:39 PM, Proskurin Kirill <k.proskurin at
fxclub.org> wrote:
>> Error: auth(default): password(admin3 at domain.off,172.16.1.19):
Invalid password format for scheme CRAM-MD5
>>
>> dovecot-ldap.conf:
>> default_pass_scheme = CRAM-MD5
>>
> 
> Set default_pass_scheme to PLAIN as you store passwords in plain text.
> 
> For improved security, store the passwords in HMAC-MD5-format.
> 
> For CRAM-MD5 auth you do not need to store the password in PLAIN
> format. It is ok to store the password in HMAC-MD5 format.
> 
> For DIGEST-MD5 you need to store the pass in PLAIN format.
> 
Thank you for reply.
It is works.

Sad but mostly im need DIGEST-MD5. :-(

-- 
Best regards,
Proskurin Kirill

Maybe Matching Threads

Search for more possibly parallel threads

dovecot - Jul 2008 - Dovecot CRAM-MD5 & DIGEST-MD5

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5

[Dovecot] Dovecot CRAM-MD5 & DIGEST-MD5 [SOLVED]

Maybe Matching Threads