dovecot - Dec 2018 - Authentication Problem

On Thu, 20 Dec 2018 at 15:23, Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
>
> On 20 December 2018 at 14:10 Odhiambo Washington < odhiambo at
gmail.com>
> wrote:
>
>
> You've made this more difficult to understand, even :-)
>
> So the answer is:
> Set the following in 10-auth.conf
>
> 1. disable_plaintext_auth = no
> 2. auth_mechanisms = plain
>
> And yes, the encrypted passwords are stored in MySQL.
>
>
> You cannot use hashed passwords with digest-md5 mechanism.
>
> Aki
>
So, for the record, whenever passwords are hashed, digest-md5 should be
disabled/removed from auth_mechanisms.

My question though - for purposes of understanding - how does dovecot take
the sent password from a client and match it against the hashed one stored
in the DB (in my case)? What happens in between the process?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181220/7fc8314b/attachment.html>

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 20 December 2018 at 14:33 Odhiambo Washington <
    <a
href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On Thu, 20 Dec 2018 at 15:23, Aki Tuomi <
    <a
href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    >
   </div>
   <blockquote type="cite">
    <div>
     On 20 December 2018 at 14:10 Odhiambo Washington < 
     <a
href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>>
    </div>
    <div>
     wrote:
    </div>
   </blockquote>
   <div>
    >
   </div>
   <blockquote type="cite">
    <div>
     You've made this more difficult to understand, even :-)
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     So the answer is:
    </div>
    <div>
     Set the following in 10-auth.conf
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     1. disable_plaintext_auth = no
    </div>
    <div>
     2. auth_mechanisms = plain
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     And yes, the encrypted passwords are stored in MySQL.
    </div>
   </blockquote>
   <div>
    >
   </div>
   <blockquote type="cite">
    <div>
     You cannot use hashed passwords with digest-md5 mechanism.
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     Aki
    </div>
   </blockquote>
   <div>
    <br>
   </div>
   <div>
    So, for the record, whenever passwords are hashed, digest-md5 should be
   </div>
   <div>
    disabled/removed from auth_mechanisms.
   </div>
   <div>
    <br>
   </div>
   <div>
    My question though - for purposes of understanding - how does dovecot take
   </div>
   <div>
    the sent password from a client and match it against the hashed one stored
   </div>
   <div>
    in the DB (in my case)? What happens in between the process?
   </div>
   <div>
    <br>
   </div>
   <div>
    --
   </div>
   <div>
    Best regards,
   </div>
   <div>
    Odhiambo WASHINGTON,
   </div>
   <div>
    Nairobi,KE
   </div>
   <div>
    +254 7 3200 0004/+254 7 2274 3223
   </div>
   <div>
    "Oh, the cruft.", grep ^[^#] :-)
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   Dovecot hashes the client sent password using the same salt and compares the
result.
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

On Thu, 20 Dec 2018 at 15:54, Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
>
> On 20 December 2018 at 14:33 Odhiambo Washington < odhiambo at
gmail.com>
> wrote:
>
>
> On Thu, 20 Dec 2018 at 15:23, Aki Tuomi < aki.tuomi at
open-xchange.com>
> wrote:
>
> >
>
> On 20 December 2018 at 14:10 Odhiambo Washington < odhiambo at
gmail.com>
> wrote:
>
> >
>
> You've made this more difficult to understand, even :-)
>
> So the answer is:
> Set the following in 10-auth.conf
>
> 1. disable_plaintext_auth = no
> 2. auth_mechanisms = plain
>
> And yes, the encrypted passwords are stored in MySQL.
>
> >
>
> You cannot use hashed passwords with digest-md5 mechanism.
>
> Aki
>
>
> So, for the record, whenever passwords are hashed, digest-md5 should be
> disabled/removed from auth_mechanisms.
>
> My question though - for purposes of understanding - how does dovecot take
> the sent password from a client and match it against the hashed one stored
> in the DB (in my case)? What happens in between the process?
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
>
>
> Dovecot hashes the client sent password using the same salt and compares
> the result.
> ---
> Aki Tuomi
>
At the expense of sounding stupid, could you please expound on the
sequence? :)

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181220/037a8749/attachment-0001.html>