Howdy,
I'm using dovecot and mysql users, and i'm creating the password with:
ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()),
-16)))
So far so good, everything's fine.
Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at least)
IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't
authenticate.
What am i doing wrong, or that can be done so that all types work (SASL
PLAIN LOGIN + CRAM-MD5)?
Thanks in advanced,
On 18 Jun 2019, at 16:04, Jorge Bastos via dovecot <dovecot at dovecot.org> wrote:> I'm using dovecot and mysql users, and i'm creating the password with: > > ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))Why not just use the builtin tool in dovecot? doveadm pw -s SHA256-CRYPT -p ?password[goes]here!? (or SHA512-CRYPT in your case, I guess).> So far so good, everything's fine. > Today saw that i didn't enabled CRAM-MD5Why would you?> , but if I do, and the (at least) > IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't > authenticate. > What am i doing wrong, or that can be done so that all types work (SASL > PLAIN LOGIN + CRAM-MD5)?What is the reason for wanting to enable CRAM-MD5? That was intended to use on unsecured connections; you should not be allowing authentication on unsecured connections in 2019. Establish a secure submission on port 587 or smtps on 465 and do not use CRAM-MD5 at all. -- "Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest." - Isaac Asimov
On Tue, 18 Jun 2019 16:41:06 -0600 "@lbutlr via dovecot" <dovecot at dovecot.org> wrote:> What is the reason for wanting to enable CRAM-MD5? That was intended > to use on unsecured connections; you should not be allowing > authentication on unsecured connections in 2019. > > Establish a secure submission on port 587 or smtps on 465 and do not > use CRAM-MD5 at all. >Possibly a backwards compatibility thing? (eg: legacy mail settings migrating to a new dovecot server). It get's difficult to argue the need for changing settings en-masse to a full customer base all at once ... For a while iPhones wanted to default to CRAM-MD5 as well...
Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot:> Howdy, > > I'm using dovecot and mysql users, and i'm creating the password with: > > ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))) > > So far so good, everything's fine. > Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at least) > IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't > authenticate. > What am i doing wrong, or that can be done so that all types work (SASL > PLAIN LOGIN + CRAM-MD5)? > > Thanks in advanced, >For shared secret mechanisms like CRAM-MD5 to work the password must be stored in plaintext AFAIK. That's a good reason not to offer that. Alexander
On 19.6.2019 7.48, Alexander Dalloz via dovecot wrote:> Am 19.06.2019 um 00:04 schrieb Jorge Bastos via dovecot: >> Howdy, >> >> I'm using dovecot and mysql users, and i'm creating the password with: >> >> ENCRYPT('some-passwd',CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))) >> >> So far so good, everything's fine. >> Today saw that i didn't enabled CRAM-MD5, but if I do, and the (at >> least) >> IMAP client (roundcube/thunderbird/etc) issues CRAM-MD5 it doesn't >> authenticate. >> What am i doing wrong, or that can be done so that all types work (SASL >> PLAIN LOGIN + CRAM-MD5)? >> >> Thanks in advanced, >> > > For shared secret mechanisms like CRAM-MD5 to work the password must > be stored in plaintext AFAIK. That's a good reason not to offer that. > > Alexander >CRAM-MD5 can also be stored as stage 1 MD5 hashed blob. Only marginally better than plaintext. But as pointed out, CRAM-MD5, DIGEST-MD5 cannot work with crypted passwords. If you want to use "secure passwords", SCRAM-SHA1 is an option, but probably best is to disable other than 'PLAIN' and 'LOGIN' mech unless you know what you are doing. Aki