dovecot - Nov 2008 - Password authentication and character set

Hi,

I've searched in the wiki and in the mailinglist archives but haven't 
found anything about password character sets within the dovecot 
authentication deamon.

My problem is that we have users with passwords containing scandinavian 
characters (???, umlauts) and the debug log shows that different clients 
send the password in different charsets.  The passwords are stored in a 
Mysql table, if that makes any difference.

Outlook Express with LATIN 1 (ISO-8859-1):

Nov 18 16:56:39 resilar dovecot: auth-worker(default): 
sql(fgr-1,193.64.206.190): Password mismatch
Nov 18 16:56:39 resilar dovecot: auth-worker(default): 
sql(fgr-1,193.64.206.190): MD5(<E4><E4>kk<F6>si<E4>) != 
'$1$xMPPHRdL$I0mrlPi5FMtwauSf20vjz0'

MacMail UTF8:

Nov 18 17:23:37 resilar dovecot: auth-worker(default): 
sql(fgr-1,193.64.206.190): Password mismatch
Nov 18 17:23:37 resilar dovecot: auth-worker(default): 
sql(fgr-1,193.64.206.190): MD5(??kk?si?12) != 
'$1$xMPPHRdL$I0mrlPi5FMtwauSf20vjz0'

Is there a setting that "forces" the authentication daemon to convert 
the provided password to a specific charset before the comparison takes 
place, or how should one handle this?

dovecot -n

# 1.1.4: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s managesieve
ssl_cert_file: /etc/ssl/certs/mail.crt
ssl_key_file: /etc/ssl/private/mail.key
ssl_cipher_list: ALL:!LOW
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
login_greeting: mail ready.
login_process_per_connection: no
mail_privileged_group: mail
mail_location: maildir:~/mail
mail_debug: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): delay-newmail outlook-idle
imap_client_workarounds(imap): delay-newmail outlook-idle
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
sieve_storage(default):
sieve_storage(imap):
sieve_storage(pop3):
sieve_storage(managesieve): ~/
sieve(default):
sieve(imap):
sieve(pop3):
sieve(managesieve): ~/.dovecot.sieve
auth default:
  mechanisms: plain login
  username_chars: 
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at +
  verbose: yes
  debug: yes
  debug_passwords: yes
  worker_max_count: 50
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: prefetch
  userdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
plugin:
  quota: maildir


Chears

Fredrik
-- 
------------------------------------------------------------------------
Fredrik Gr?nqvist
------------------------------------------------------------------------

On Nov 18, 2008, at 5:32 PM, Fredrik Gr?nqvist wrote:
> Is there a setting that "forces" the authentication daemon to  
> convert the provided password to a specific charset before the  
> comparison takes place, or how should one handle this?
Dovecot doesn't know the character set that the client is using, so it  
can't do charset conversion reliably. So the possibilities would be:

a) UTF-8 vs. another 8bit charset can be detected pretty well by  
checking if the input string is valid UTF-8 or not. So there could be  
a setting to specify the fallback charset.

b) Just brute force through all the configured charsets and test the  
password against all of them.

I don't really like either solution and I don't have much interest in  
coding those myself. Feel free to do it yourself though, I might even  
accept patches. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20081118/3f713310/attachment-0002.bin>

On Tue, Nov 18, 2008 at 05:51:05PM +0200, Timo Sirainen
wrote:
> On Nov 18, 2008, at 5:32 PM, Fredrik Gr?nqvist wrote:
> 
> >Is there a setting that "forces" the authentication daemon to
> >convert the provided password to a specific charset before the  
> >comparison takes place, or how should one handle this?
> 
> Dovecot doesn't know the character set that the client is using, so it
> can't do charset conversion reliably. So the possibilities would be:
> 
> a) UTF-8 vs. another 8bit charset can be detected pretty well by  
> checking if the input string is valid UTF-8 or not. So there could be  
> a setting to specify the fallback charset.
> 
> b) Just brute force through all the configured charsets and test the  
> password against all of them.
> 
> I don't really like either solution and I don't have much interest
in
> coding those myself. Feel free to do it yourself though, I might even  
> accept patches. :)
> 

It seems like this is a limitation in the IMAP protocol.  From RFC 3501:

   Characters are 7-bit US-ASCII unless otherwise specified.  Other
   character sets are indicated using a "CHARSET", as described in
   [MIME-IMT] and defined in [CHARSET].  CHARSETs have important
   additional semantics in addition to defining character set; refer to
   these documents for more detail.

The SEARCH command has this optional CHARSET flag (to search in messages
in non-ascii charsets) but it seems like the LOGIN command should accept
only 7-bit ASCII arguments...


	Geert