You've made this more difficult to understand, even :-) So the answer is: Set the following in 10-auth.conf 1. disable_plaintext_auth = no 2. auth_mechanisms = plain And yes, the encrypted passwords are stored in MySQL. On Thu, 20 Dec 2018 at 13:36, Nikolai Lusan <nikolai at lusan.id.au> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Greetings > On Thu, 2018-12-20 at 12:20 +0300, Odhiambo Washington wrote: > > I am using SHA512-CRYPT scheme for passwords. > > Yeah, there is a reason MD5 has been preferred to crypt for a very long > time now, and the SHA512 isn't really any better. > > > > In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT > > > > In 10-auth.conf, I have: > > auth_mechanisms = plain login digest-md5 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > M$ Outlook is refusing to authenticate, with error: Requested DIGEST-MD5 > > scheme, but we have only CRYPT > > What an I missing?? > > > You are not advertising 3 possible auth methods, I am assuming that plain > will use the SQL extension. Unless you are going to setup a digest-md5 > method I would remove it from the advertised methods as most clients will > default to a digest method before selecting plain. Unless you control all > the clients and can configure them to only use the plain method of auth (I > would also be ensuring that you have TLS enforced in some way for this) > then removal of the digest method is probably the best fix. > > If the plain and/or login methods are failing check your sql config > includes the passdb and userdb sections. > > > - -- > Nikolai Lusan <nikolai at lusan.id.au> > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlwbcFwACgkQ4ZaDRV2V > L6T7IxAAjTQQfVngYU92oNfORwIeL6e9YZtvlLfo7V6d2PSgnzJ2Tdzyo2YA4AGy > eApc9SoJra8IVzanv+s6yl0BJ/EXez/ugdZ5DEUzYTf7b1AVMnUYOKkCi4HeOzzx > zttLF/Hd5ovwDRB1StNa5c1dsrN5lfwZy/cFwK+zOWwEZDBpYq3/y+IjsbWhCcW1 > DVbrSshOUaFqZwRE7MFPHiwsyNxhiG8cciglgUKf5HdRaiwx5E1Xy9gASxaqrdqg > GZpGbI7C8sAr92OvTvZlwThSOM6+aSgGIOATRS9S1Lh9x9H14ya1LtOE9XELSQPl > gDI/HJKBym7D8BsnEPSZ+THRwWGQ6QyACZUN8q5OZMEyzS2AGECnSTYMgv4LjqBZ > VbAaPZBAkhsuzVoWsd4xKiN9Qv3wQykDsSq6yahqiDzTXbsCA8HPMEQvw3hISttq > WHdibiBP8cm2/8cz+8PM1+3Q08JMVRqmDLEIQ61gmg8UWhpCPbE3royBkHaj6wOR > GeK4mG3cwYQu0JsoKDsFr7EvABErVRzrvkiMgnz/ivORkJVVtmxyYmG4t5VIT8FD > Hq6A/c1VJ/GYLNHNWRFMRfiXIJB7fM6K0NWK1EN34QoHNbwb5qSL+c6t/BZ5BpzK > c9zkU31FTqtSabUHzNPje6hzHMi5eZLhcH/MCZhD3Xv5+Gwxdug> =LQQ1 > -----END PGP SIGNATURE----- > >-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181220/42676fb9/attachment-0001.html>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 20 December 2018 at 14:10 Odhiambo Washington <
<a
href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
You've made this more difficult to understand, even :-)
</div>
<div>
<br>
</div>
<div>
So the answer is:
</div>
<div>
Set the following in 10-auth.conf
</div>
<div>
<br>
</div>
<div>
1. disable_plaintext_auth = no
</div>
<div>
2. auth_mechanisms = plain
</div>
<div>
<br>
</div>
<div>
And yes, the encrypted passwords are stored in MySQL.
</div>
<div>
<br>
</div>
<div></div>
</blockquote>
<div>
<br>
</div>
<div>
You cannot use hashed passwords with digest-md5 mechanism.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div></div>
<div>
On Thu, 20 Dec 2018 at 13:36, Nikolai Lusan <
<a
href="mailto:nikolai@lusan.id.au">nikolai@lusan.id.au</a>>
wrote:
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
-----BEGIN PGP SIGNED MESSAGE-----
</div>
<div>
Hash: SHA512
</div>
</blockquote>
<blockquote type="cite">
<div>
Greetings
</div>
<div>
On Thu, 2018-12-20 at 12:20 +0300, Odhiambo Washington wrote:
</div>
<blockquote type="cite">
<div>
I am using SHA512-CRYPT scheme for passwords.
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Yeah, there is a reason MD5 has been preferred to crypt for a very long
</div>
<div>
time now, and the SHA512 isn't really any better.
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<blockquote type="cite">
<div>
In my dovecot-sql.conf.ext, I have: default_pass_scheme = CRYPT
</div>
</blockquote>
<blockquote type="cite">
<div>
In 10-auth.conf, I have:
</div>
<div>
auth_mechanisms = plain login digest-md5
</div>
</blockquote>
<div>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
</div>
<blockquote type="cite">
<div>
M$ Outlook is refusing to authenticate, with error: Requested DIGEST-MD5
</div>
<div>
scheme, but we have only CRYPT
</div>
<div>
What an I missing??
</div>
</blockquote>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
You are not advertising 3 possible auth methods, I am assuming that plain
</div>
<div>
will use the SQL extension. Unless you are going to setup a digest-md5
</div>
<div>
method I would remove it from the advertised methods as most clients will
</div>
<div>
default to a digest method before selecting plain. Unless you control all
</div>
<div>
the clients and can configure them to only use the plain method of auth (I
</div>
<div>
would also be ensuring that you have TLS enforced in some way for this)
</div>
<div>
then removal of the digest method is probably the best fix.
</div>
</blockquote>
<blockquote type="cite">
<div>
If the plain and/or login methods are failing check your sql config
</div>
<div>
includes the passdb and userdb sections.
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
- --
</div>
<div>
Nikolai Lusan <
<a
href="mailto:nikolai@lusan.id.au">nikolai@lusan.id.au</a>>
</div>
<div>
-----BEGIN PGP SIGNATURE-----
</div>
</blockquote>
<blockquote type="cite">
<div>
iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlwbcFwACgkQ4ZaDRV2V
</div>
<div>
L6T7IxAAjTQQfVngYU92oNfORwIeL6e9YZtvlLfo7V6d2PSgnzJ2Tdzyo2YA4AGy
</div>
<div>
eApc9SoJra8IVzanv+s6yl0BJ/EXez/ugdZ5DEUzYTf7b1AVMnUYOKkCi4HeOzzx
</div>
<div>
zttLF/Hd5ovwDRB1StNa5c1dsrN5lfwZy/cFwK+zOWwEZDBpYq3/y+IjsbWhCcW1
</div>
<div>
DVbrSshOUaFqZwRE7MFPHiwsyNxhiG8cciglgUKf5HdRaiwx5E1Xy9gASxaqrdqg
</div>
<div>
GZpGbI7C8sAr92OvTvZlwThSOM6+aSgGIOATRS9S1Lh9x9H14ya1LtOE9XELSQPl
</div>
<div>
gDI/HJKBym7D8BsnEPSZ+THRwWGQ6QyACZUN8q5OZMEyzS2AGECnSTYMgv4LjqBZ
</div>
<div>
VbAaPZBAkhsuzVoWsd4xKiN9Qv3wQykDsSq6yahqiDzTXbsCA8HPMEQvw3hISttq
</div>
<div>
WHdibiBP8cm2/8cz+8PM1+3Q08JMVRqmDLEIQ61gmg8UWhpCPbE3royBkHaj6wOR
</div>
<div>
GeK4mG3cwYQu0JsoKDsFr7EvABErVRzrvkiMgnz/ivORkJVVtmxyYmG4t5VIT8FD
</div>
<div>
Hq6A/c1VJ/GYLNHNWRFMRfiXIJB7fM6K0NWK1EN34QoHNbwb5qSL+c6t/BZ5BpzK
</div>
<div>
c9zkU31FTqtSabUHzNPje6hzHMi5eZLhcH/MCZhD3Xv5+Gwxdug </div>
<div>
=LQQ1
</div>
<div>
-----END PGP SIGNATURE-----
</div>
</blockquote>
<div>
>
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Best regards,
</div>
<div>
Odhiambo WASHINGTON,
</div>
<div>
Nairobi,KE
</div>
<div>
+254 7 3200 0004/+254 7 2274 3223
</div>
<div>
"Oh, the cruft.", grep ^[^#] :-)
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
---
<br>Aki Tuomi
</div>
</body>
</html>
On Thu, 20 Dec 2018 at 15:23, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 20 December 2018 at 14:10 Odhiambo Washington < odhiambo at gmail.com> > wrote: > > > You've made this more difficult to understand, even :-) > > So the answer is: > Set the following in 10-auth.conf > > 1. disable_plaintext_auth = no > 2. auth_mechanisms = plain > > And yes, the encrypted passwords are stored in MySQL. > > > You cannot use hashed passwords with digest-md5 mechanism. > > Aki >So, for the record, whenever passwords are hashed, digest-md5 should be disabled/removed from auth_mechanisms. My question though - for purposes of understanding - how does dovecot take the sent password from a client and match it against the hashed one stored in the DB (in my case)? What happens in between the process? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181220/7fc8314b/attachment.html>