Hi guys, we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior ? when the password is e.g. ?testpass? you also authenticate successfully with ?testpass123? or ?testpassNOT?. Whatever comes after the correct password doesn?t matter, the authentication is still successful. Here are the used configs: // auth-sql.conf.ext passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/data/mail/%d/%n } // dovecot-sql.conf.ext driver = mysql connect = host=[IP] dbname=[DB] user=[USER] password=[PASS] default_pass_scheme = CRYPT password_query = SELECT `password`, `login` AS `user` FROM `v_email_accounts` WHERE `login`='%u' // 10-auth.conf disable_plaintext_auth = no auth_mechanisms = plain !include auth-sql.conf.ext // 10-master.conf default_process_limit = 1000 default_client_limit = 3003 default_vsz_limit = 1024M service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } service_count = 0 vsz_limit = 1024M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { } } service imap { vsz_limit = 1024M process_limit = 2048 } service pop3 { process_limit = 2048 } service auth { unix_listener auth-userdb { user = vmail group = vmail } client_limit = 8096 } service auth-worker { } service dict { unix_listener dict { } } Thanks in advance for your help!
On 03/24/2014 07:34 AM, J?rgen Ladst?tter wrote:> Hi guys, > > > > we use dovecot 2.0.9 and authentication against a mysql database. Everything > works fine, but we found some weird behavior ? when the password is e.g. > ?testpass? you also authenticate successfully with ?testpass123? or > ?testpassNOT?. Whatever comes after the correct password doesn?t matter, the > authentication is still successful...> default_pass_scheme = CRYPT >http://wiki2.dovecot.org/Authentication/PasswordSchemes -- CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = vpvKh.SaNbR6s) Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page. >>>>>>> *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all).