Re: dovecot cram-md5 setting break sending emails

Thu, 23 Feb 2017 07:54:17 -0800 

On Thu, Feb 23, 2017 at 04:08:21PM +0100,
   wilfried.es...@essignetz.de wrote:
> Your problem with cram-md5 is, that you have
> 
> "default_pass_scheme = CRYPT"
> 
> in /etc/dovecot/dovecot-sql.conf.
> 
> 
> As mentioned in this text from my last mail, you need to change
> the schema your passwords are stored in:
> >>> On http://wiki.dovecot.org/Authentication/PasswordSchemes 
> >>> you'll find under "Non-plaintext authentication mechanisms":
> >>> "The problem with non-plaintext auth mechanisms is that the 
> >>> password must be stored either in plaintext, or using a 
> >>> mechanism-specific scheme that's incompatible with all other 
> >>> non-plaintext mechanisms. In addition, the mechanism-specific 
> >>> schemes often offer very little protection. This isn't a 
> >>> limitation of Dovecot, it's a requirement for the algorithms
> >>> to even work.

The most common choice for mail is to require TLS for AUTH 
(smtpd_tls_auth_only) and then only offer PLAIN mechanism.  This 
works well with encrypted password storage.

> >>> For example if you're going to use CRAM-MD5 authentication, the 
> >>> password needs to be stored in either PLAIN or CRAM-MD5 scheme. 
> >>> If you want to allow both CRAM-MD5 and DIGEST-MD5, the password 
> >>> must be stored in plaintext. "
> 
> You'll have to set an other default scheme in your
> /etc/dovecot/dovecot-sql.conf and recreate your passwords in the
> db. Read more in above mentioned URL.

Indeed, the Dovecot wiki has the answers to all the common Dovecot 
questions, and the Dovecot list is the more appropriate place to ask 
those questions.

On the Postfix side there really wasn't much going on; Dovecot was 
failing to present a list of SASL mechanisms to smtpd -- both smtps 
and port 25; apparently no submission service was configured.  
Submission (port 587) should be configured in favor of the now-
deprecated smtps, and ideally, there would be no SASL AUTH offered on 
port 25.

The advice to use verbose logging was wrong.  Verbose logging in most 
cases only serves to further confuse the issue.

> Or you can prefix every password with its scheme, but i don't
> remember details.

{PLAIN}thisIsMyPassword
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to