If you have no clear password then vuserinfo is unable to report the user 
It will only give you the encrypted password.

best wishes
  Tony White

On 04/10/18 14:22, Andrew Swartz wrote:

I ~may~ have just figured out why vpopmail stores cleartext passwords:

It is so it can support CRAM-MD5.

CRAM-MD5 is a challenge-response protocol used to provide privacy over
unencrypted connections.  The server challenges the client with a
pseudorandom challenge.  The client uses the password with HMAC-MD5 to
hash the challenge and send it back.  The server repeats the client
procedure to confirm that the client used (and thus has) the correct

But this means that the server MUST have access to the cleartext
password, otherwise it cannot repeat the clients actions and confirm
authentication.  This cannot be accomplished with a salted hashed password.

If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server
does not need access to the cleartext password.

Back when vpopmail was written, cleartext password storage was already
out of favor.  But TLS was not widely used, and the only way to not send
passwords in the clear was CRAM-MD5 (or a similar scheme), and this
required storing cleartext passwords.  Though storing cleartext
passwords is unsafe, it is much safer than sending cleartext passwords
over an encrypted channel.

I suspect that this is the primary reason that vpopmail primarily uses
hashed passwords but supports cleartext passwords with the option to
disable them.


On 10/3/2018 7:51 PM, Eric Broch wrote:
Hi Andy,

I got it to work.

In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir'

and make sure of 'auth_mechanisms = plain login'

In '/etc/squirrelmail/config_local.php' here are my imap settings:

$imapServerAddress  = 'localhost';
$imap_server_type   = 'dovecot';
$imap_auth_mech     = 'login';

worked for my squirrelmail setup, hope you get it working


On 10/3/2018 9:18 PM, Andrew Swartz wrote:
And I'll add that at the end, with pw_clear_passwd set to null, login
succeeds via IMAP but fails via Squirrelmail.


-------- Forwarded Message --------
Subject: Re: [qmailtoaster] dovecot
Date: Wed, 3 Oct 2018 19:12:11 -0800
From: Andrew Swartz <awswa...@acsalaska.net>
To: qmailtoaster-list@qmailtoaster.com


With pw_clear_passwd set to '0123456789' I successfully logged in via
this technique using password '0123456789'.

I used SQL to reset pw_clear_passwd to null.

Again I successfully logged in via this technique using password


On 10/3/2018 6:02 PM, Eric Broch wrote:
Try the CLI commands I sent. There can be issues with the configuration
of squirrelmail and roundcube.


# openssl s_client -crlf -connect localhost:993

imap> tag login u...@domain.tld  $userpassword


# cd /usr/local/bin
# wget http://www.jetmore.org/john/code/swaks/latest/swaks
# chown root.root swaks
# chmod +x swaks

# swaks --to some...@remotedomain.tld --from u...@domain.tld --server
$yourqmthost --port 587 --ehlo test -tls --auth login --auth-user
u...@domain.tld --auth-password $userpassword

On 10/3/2018 7:45 PM, Andrew Swartz wrote:

On Centos7 QMT:

I just created a new user account and set the password to '0123456789'.
Then I used your SQL command to set pw_clear_passwd to null.
Then I viewed the table to confirm it was empty (it was).
Then I tried to log in to Squirrelmail using password '0123456789':
Login failed.
Then I used your SQL command to reset pw_clear_passwd back to
Then I tried to log in to Squirrelmail using password '0123456789':

This seems different from your experience.

This sucks because it seems to mean no easy fix for this problem.


On 10/3/2018 4:24 PM, Eric Broch wrote:
I've been contacted by someone who removed the clear text password
an account and had issued logging into Dovecot even after a
restart. The
fix of course is to reset the password with
Does anyone else want to confirm/refute my findings that w/o the clear
text password Dovecot will work?

Eric Broch
White Horse Technical Consulting (WHTC)

Reply via email to