Problem: Using MySQL storage for the user and password db with MD5-CRYPT hashes, Dovecot fails to successfully authenticate when the MD5-CRYPT or MD5 settings are specified as default_pass_scheme in dovecot-mysql.conf. Dovecot /does/ successfully authenticate against MD5-CRYPT hashes when default_pass_scheme is set to CRYPT, which according to the docs should be DES encryption. (I do not know whether or not CRYPT actually works with DES hashes.) I am positive that I am using MD5-CRYPT hashes, as I have dropped in hashes from a Qmail/Vpopmail vpasswd file and they work with the CRYPT setting in Dovecot, as do hashes generated using htpasswd -nmb. Test system: Ubuntu Server 7.10, amd64 Dovecot 1.0.5 (from Ubuntu repositories) Postfix 2.4.5 (from Ubuntu repositories) Demonstration: # cat /etc/dovecot/dovecot-mysql.conf driver = mysql connect = dbname=redacted user=redacted host=127.0.0.1 password=redacted default_pass_scheme = MD5-CRYPT password_query = SELECT password FROM mailbox WHERE username = '%u' user_query = SELECT maildir, 105 AS uid, 114 AS gid FROM mailbox WHERE username = '%u' # htpasswd -nmb user password user:$apr1$bZQl//..$2IPoOibTBaqpG7pPFigOy/ # mysql -u postfix -p mysql> use redacted; Database changed mysql> update userdb set password='$apr1$bZQl//..$2IPoOibTBaqpG7pPFigOy/' where username='user'; Query OK, 1 rows affected (0.00 sec) mysql>quit Bye # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK Dovecot ready. a login user password a NO Authentication failed. a logout * BYE Logging out a OK Logout completed. Connection closed by foreign host. # replace MD5-CRYPT CRYPT -- /etc/dovecot/dovecot-mysql.conf # /etc/init.d/dovecot restart * Restarting IMAP/POP3 mail server dovecot [ OK ] # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK Dovecot ready. a login user password a OK Logged in. a logout * BYE Logging out a OK Logout completed. Connection closed by foreign host.
Timo Sirainen
2008-Dec-30 23:37 UTC
[Dovecot] Bug in Dovecot 1.0.5 - CRYPT-MD5 not working
On Dec 28, 2008, at 4:48 AM, Jim Salter wrote:> I am positive that I am using MD5-CRYPT hashes,..> # htpasswd -nmb user password > user:$apr1$bZQl//..$2IPoOibTBaqpG7pPFigOy/This isn't MD5-CRYPT, it's some Apache-specific MD5 thing. I'm surprised it works with crypt. MD5-CRYPT passwords begin with $1$.
Timo Sirainen
2008-Dec-31 00:15 UTC
[Dovecot] Bug in Dovecot 1.0.5 - CRYPT-MD5 not working
On Dec 31, 2008, at 1:50 AM, Jim Salter wrote:> Hrm. OK, not arguing, just curious: where is the MD5-CRYPT standard > defined?I don't think it's a real standard. It's just something that libcs started implementing. I think OpenBSD did it first and then others started copying.> Worth noting that the (Apache?) standard in question is also the one > used in vpopmail vpasswd.cdb files (authdb vpopmail, userdb vpopmail).Would it work if you simply changed $apr1$ to $1$? I can't really see why $apr1$ would otherwise work in glibc. I just checked its sources and also Ubuntu patches. There's no mention of apr1 in them.