dovecot - Mar 2013 - Integrating with Drupal SQL db

Hi

I'm trying to get Dovecot to use Drupal users password for authenticating
IMAP users. But I just cant figure out how to make Dovecot understand the
password hash type that Drupal 7 is using.

My example user with password Teacher1 looks like this in Drupal database:
$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU

Dovecot retrieves this hash but complains that its not a recognized hash
type, or that the hash is wrong, depending on if I change the default hash
type in Dovecot config.

Any help appreciated.


root at SSiS:/etc/postfix# dovecot --version
1.2.15
root at SSiS:/etc/postfix# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
log_timestamp: %Y-%m-%d %H:%M:%S
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:/home/vmail/
mbox_write_locks: fcntl dotlock
auth default:
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: pam
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: passwd
root at SSiS:/etc/postfix#
root at SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
default_pass_scheme = CRYPT
password_query = SELECT name AS user, pass AS password FROM users WHERE
name='%n'
user_query = SELECT
CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
AS
mail FROM users WHERE name='%n'
root at SSiS:/etc/postfix# tail /var/log/mail.log
Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593
Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): lookup service=dovecot
Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure
(password mismatch?) (given password: Teacher1)
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM
users WHERE name='Teacher1'
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): Password mismatch
Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1):
Not a valid MD5-CRYPT or PLAIN-MD5 password
Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
passdb
Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
passdb
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): CRYPT(Teacher1)
!'$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
FAIL#0111#011user=Teacher1
Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, secured
Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075
Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid
commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
root at SSiS:/etc/postfix#

On 3/11/13 11:57 AM, info at stos.se wrote:
> Hi
>
> I'm trying to get Dovecot to use Drupal users password for
authenticating
> IMAP users. But I just cant figure out how to make Dovecot understand the
> password hash type that Drupal 7 is using.
>
> My example user with password Teacher1 looks like this in Drupal database:
> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
>
> Dovecot retrieves this hash but complains that its not a recognized hash
> type, or that the hash is wrong, depending on if I change the default hash
> type in Dovecot config.
>
> Any help appreciated.
>
>
> root at SSiS:/etc/postfix# dovecot --version
> 1.2.15
> root at SSiS:/etc/postfix# dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
> log_timestamp: %Y-%m-%d %H:%M:%S
> login_dir: /var/run/dovecot/login
> login_executable: /usr/lib/dovecot/imap-login
> mail_privileged_group: mail
> mail_location: maildir:/home/vmail/
> mbox_write_locks: fcntl dotlock
> auth default:
>    verbose: yes
>    debug: yes
>    debug_passwords: yes
>    passdb:
>      driver: pam
>    passdb:
>      driver: sql
>      args: /etc/dovecot/dovecot-sql.conf
>    userdb:
>      driver: passwd
> root at SSiS:/etc/postfix#
> root at SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
> /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
> default_pass_scheme = CRYPT
> password_query = SELECT name AS user, pass AS password FROM users WHERE
> name='%n'
> user_query = SELECT
>
CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
AS
> mail FROM users WHERE name='%n'
> root at SSiS:/etc/postfix# tail /var/log/mail.log
> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593
> Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): lookup service=dovecot
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure
> (password mismatch?) (given password: Teacher1)
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM
> users WHERE name='Teacher1'
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): Password mismatch
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1):
> Not a valid MD5-CRYPT or PLAIN-MD5 password
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) !>
'$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
> Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
> FAIL#0111#011user=Teacher1
> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured
> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075
> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
> root at SSiS:/etc/postfix#
>
>
As far as I understand Drupal uses salted passwords, so you would need 
to return the password + salt in the sql query.  I am not sure what 
position the salt is offset for a password with Drupal, but that should 
be simple to determine looking at the source.

<info at stos.se> wrote:
> Hi
> 
> I'm trying to get Dovecot to use Drupal users password for
authenticating
> IMAP users. But I just cant figure out how to make Dovecot understand the
> password hash type that Drupal 7 is using.
> 
> My example user with password Teacher1 looks like this in Drupal database:
> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
This is not CRAM-MD5, is it?
> Dovecot retrieves this hash but complains that its not a recognized hash
> type, or that the hash is wrong, depending on if I change the default hash
> type in Dovecot config.
> 
> Any help appreciated.
This is what I get connecting to your server:
Connected to stos.se.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 NAMESPACE ID AUTH=PLAIN AUTH=LOGIN UIDPLUS STARTTLS
ACL METADATA] Debian-60-squeeze-64-minimal IMAP4rev1 Citadel 7.83 ready

This is what I get connecting to mine:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready.

I see no AUTH=CRAM-MD5 in capabilites of your server.

  Andreas

Hello!

I took the thread back to the list.

Tobias R?denholt  <tobias.radenholt at stos.se> wrote:
> I think it is ssha512 hashing.  It's not stos.se that's affected.
It's
> swedishschoolinsydney.org.au 
Just found this:
capabilities are 'IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
 STARTTLS LOGINDISABLED' meaning you can log in via STARTTLS but not via
plaintext authentication.

Does it have something to do woth your problem?
> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured
> Thanks! 
> /Tobias 
  Andreas

> <info at stos.se> wrote:
> 
> > Hi
> > 
> > I'm trying to get Dovecot to use Drupal users password for
authenticating
> > IMAP users. But I just cant figure out how to make Dovecot understand
the
> > password hash type that Drupal 7 is using.
> > 
> > My example user with password Teacher1 looks like this in Drupal
database:
> > $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
> 
> This is not CRAM-MD5, is it?
> 
> > Dovecot retrieves this hash but complains that its not a recognized
hash
> > type, or that the hash is wrong, depending on if I change the default
hash
> > type in Dovecot config.
> > 
> > Any help appreciated.
> 
> This is what I get connecting to your server:
> Connected to stos.se.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4REV1 NAMESPACE ID AUTH=PLAIN AUTH=LOGIN UIDPLUS
STARTTLS ACL METADATA] Debian-60-squeeze-64-minimal IMAP4rev1 Citadel 7.83 ready
> 
> This is what I get connecting to mine:
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready.
> 
> I see no AUTH=CRAM-MD5 in capabilites of your server.
> 
>   Andreas

The issue is, drupal uses a custom password format.

You could rewrite the password hashs that drupal uses, into a normal  
crypt ssha256 version, that dovecot will understand, but it will  
probably going be much easier, to just program it into dovecot to  
support it.

http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/


Quoting info at stos.se:
> Hi
>
> I'm trying to get Dovecot to use Drupal users password for
authenticating
> IMAP users. But I just cant figure out how to make Dovecot understand the
> password hash type that Drupal 7 is using.
>
> My example user with password Teacher1 looks like this in Drupal database:
> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
>
> Dovecot retrieves this hash but complains that its not a recognized hash
> type, or that the hash is wrong, depending on if I change the default hash
> type in Dovecot config.
>
> Any help appreciated.
>
>
> root at SSiS:/etc/postfix# dovecot --version
> 1.2.15
> root at SSiS:/etc/postfix# dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
> log_timestamp: %Y-%m-%d %H:%M:%S
> login_dir: /var/run/dovecot/login
> login_executable: /usr/lib/dovecot/imap-login
> mail_privileged_group: mail
> mail_location: maildir:/home/vmail/
> mbox_write_locks: fcntl dotlock
> auth default:
>   verbose: yes
>   debug: yes
>   debug_passwords: yes
>   passdb:
>     driver: pam
>   passdb:
>     driver: sql
>     args: /etc/dovecot/dovecot-sql.conf
>   userdb:
>     driver: passwd
> root at SSiS:/etc/postfix#
> root at SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
> /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
> default_pass_scheme = CRYPT
> password_query = SELECT name AS user, pass AS password FROM users WHERE
> name='%n'
> user_query = SELECT
>
CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
AS
> mail FROM users WHERE name='%n'
> root at SSiS:/etc/postfix# tail /var/log/mail.log
> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593
> Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): lookup service=dovecot
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure
> (password mismatch?) (given password: Teacher1)
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM
> users WHERE name='Teacher1'
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): Password mismatch
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1):
> Not a valid MD5-CRYPT or PLAIN-MD5 password
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) !>
'$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
> Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
> FAIL#0111#011user=Teacher1
> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured
> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075
> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
> root at SSiS:/etc/postfix#

Hi again

I have now solved this with a workaround.

In short, it involves a Drupal 7 module called HTPasswdSync that 
intercepts password creation and changes in Drupal, and writes the 
password in SHA-1 hash format to a file (/etc/apache2/dovecot). I then 
point Dovecot to use this file as userdb and passdb source.

I have written an more in detail explanation that is available at 
http://www.stos.se/?q=node/12 .

The question remains; Will Dovecot ever be compatible with Drupal 7 
password hashes?

Regards
Tobias R?denholt

info at stos.se wrote 2013-03-11 17:57:
> Hi
>
> I'm trying to get Dovecot to use Drupal users password for
authenticating
> IMAP users. But I just cant figure out how to make Dovecot understand the
> password hash type that Drupal 7 is using.
>
> My example user with password Teacher1 looks like this in Drupal database:
> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
>
> Dovecot retrieves this hash but complains that its not a recognized hash
> type, or that the hash is wrong, depending on if I change the default hash
> type in Dovecot config.
>
> Any help appreciated.
>
>
> root at SSiS:/etc/postfix# dovecot --version
> 1.2.15
> root at SSiS:/etc/postfix# dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
> log_timestamp: %Y-%m-%d %H:%M:%S
> login_dir: /var/run/dovecot/login
> login_executable: /usr/lib/dovecot/imap-login
> mail_privileged_group: mail
> mail_location: maildir:/home/vmail/
> mbox_write_locks: fcntl dotlock
> auth default:
>    verbose: yes
>    debug: yes
>    debug_passwords: yes
>    passdb:
>      driver: pam
>    passdb:
>      driver: sql
>      args: /etc/dovecot/dovecot-sql.conf
>    userdb:
>      driver: passwd
> root at SSiS:/etc/postfix#
> root at SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
> /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
> default_pass_scheme = CRYPT
> password_query = SELECT name AS user, pass AS password FROM users WHERE
> name='%n'
> user_query = SELECT
>
CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
AS
> mail FROM users WHERE name='%n'
> root at SSiS:/etc/postfix# tail /var/log/mail.log
> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593
> Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): lookup service=dovecot
> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure
> (password mismatch?) (given password: Teacher1)
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM
> users WHERE name='Teacher1'
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): Password mismatch
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1):
> Not a valid MD5-CRYPT or PLAIN-MD5 password
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
> passdb
> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) !>
'$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
> Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
> FAIL#0111#011user=Teacher1
> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured
> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075
> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid
> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
> root at SSiS:/etc/postfix#
>