Warning: this ended up being a bit chatty. If that bothers you, stop
now. I thought that it might be useful information for other folks
experiencing the famous authentication problem. I've seen other notes
on the list, but it doesn't appear to be a simple issue.
I've got courier-imap running on a secondary server (with the plan to
phase out UW). One of the things that I need for this is secure
authentication. The machines run Debian testing (kernel 2.4.17
custom), courier-imap 1.4.1, courier-authdaemon and -base 0.37.
Default installation (via apt-get) uses PAM for authentication. This
works fine, but is a clear-text password. My initial attempt to follow
all the instructions for enabling CRAM-MD5 failed.
On a second attempt, I decided first to verify that I could use the
userdb. In this, I succeeded.
[change authdaemonrc to authmodulelist="authuserdb"]
pw2userdb >/etc/courier/userdb && chmod go-rwx /etc/courier/userdb
[edit, removing all accounts but one]
makeuserdb
userdb amyzing unset systempw
userdbpw -md5 | userdb amyzing set imappw
makeuserdb
/etc/init.d/courier-imap restart
/etc/init.d/courier-authdaemon restart
Using mutt, login worked.
[change authdaemonrc authmodulelist="authcram"]
[change imapd, adding AUTH=CRAM-MD5 to IMAP_CAPABILITY]
userdb amyzing unset imappw
userdbpw -hmac-md5 | userdb amyzing set hmac-md5pw
makeuserdb
[restart daemons as above]
No joy. Very little in the log, either: imaplogin: LOGIN FAILED on one
line, DISCONNECTED on the next, with IP address (localhost).
userdbpw -hmac-md5 | userdb amyzing set imap-hmac-md5pw
userdbpw -hmac-md5 | userdb amyzing set imap-md5pw
userdbpw -hmac-md5 | userdb amyzing set cram-md5pw
userdbpw -hmac-md5 | userdb amyzing set system-md5pw
userdbpw -hmac-md5 | userdb amyzing set system-hmac-md5pw
All tried, with makeuserdb and daemon restarts. Very boring activity.
Nothing additional in the logs, no joy in Mudville.
So, can someone suggest what it is that I need to do to get the magic
of CRAM working?
Failing that, could someone possibly suggest how I can increase the log
level of authdaemon, imap, or imaplogin?
Also, could someone detail the names of the passwords? It appears from
the website and such that the CRAM MD5 password should be something
like hmac-md5pw, but it isn't terribly clear (which is why I tried all
the others that I could think of, unsuccessfully).
UPDATE: so, I turned on tcpdump, to watch the packets go by. Using
mutt and mozilla, I found that each requests CAPABILITY, but then
ignores AUTH=CRAM-MD5. At least, I think so, because the next packet
along is LOGIN "amyzing" "password". So ... despite the capability
string, both clients try to use clear text. Setting mutt's
imap_authenticators string to cram-md5 results in "No authenticators
available" (cram-md5 in either case).
I went and watched tcpdump, connecting with both mutt and mozilla to
both the courier server and the old uw server (which is using
CRAM-MD5). There's a few differences in the capabilities string
(including that UW has AUTH=LOGIN as well as AUTH=CRAM-MD5). What was
most interesting is that mutt apparently can't use CRAM-MD5; it always
uses the LOGIN command. This is odd, because it defeats the purpose of
the CRAM protocol, and yet UW allows the login to happen using the
cleartext secret found in its password file. Major ugliness, there.
Mozilla, on the other hand, apparently used "authenticate login"
against UW, triggering (somehow; I'm not sure how; the authenticate
command ought to be accompanied with the name of the method, CRAM-MD5)
relatively secure authentication. But against courier, it said login
username password.
So, most of the foregoing is probably irrelevant, since it appears that
the major problem is getting the bloody clients to recognize the AUTH=
bit in the CAPABILITY string. Neither does; mutt doesn't do right with
UW, either (UW allows this, which is a bug there, I think). Mozilla
handles UW, but not Courier.
*sigh* So now what?
Thanks for your time.
Amy!
--
Amelia A. Lewis [EMAIL PROTECTED] [EMAIL PROTECTED]
What makes me think I could start clean-slated?
The hardest to learn was the least complicated.
-- Emily Saliers
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
