Yes

On 10/4/2018 2:16 AM, Tony White wrote:
Hi,
  If you have no clear password then vuserinfo is unable to report the user password.
It will only give you the encrypted password.

best wishes
   Tony White

On 04/10/18 14:22, Andrew Swartz wrote:
I ~may~ have just figured out why vpopmail stores cleartext passwords:

It is so it can support CRAM-MD5.

CRAM-MD5 is a challenge-response protocol used to provide privacy over
unencrypted connections.  The server challenges the client with a
pseudorandom challenge.  The client uses the password with HMAC-MD5 to
hash the challenge and send it back.  The server repeats the client
procedure to confirm that the client used (and thus has) the correct
password.

But this means that the server MUST have access to the cleartext
password, otherwise it cannot repeat the clients actions and confirm
authentication.  This cannot be accomplished with a salted hashed password.

If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server
does not need access to the cleartext password.

Back when vpopmail was written, cleartext password storage was already
out of favor.  But TLS was not widely used, and the only way to not send
passwords in the clear was CRAM-MD5 (or a similar scheme), and this
required storing cleartext passwords.  Though storing cleartext
passwords is unsafe, it is much safer than sending cleartext passwords
over an encrypted channel.

I suspect that this is the primary reason that vpopmail primarily uses
hashed passwords but supports cleartext passwords with the option to
disable them.

-Andy


On 10/3/2018 7:51 PM, Eric Broch wrote:
Hi Andy,

I got it to work.

In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir'

and make sure of 'auth_mechanisms = plain login'

In '/etc/squirrelmail/config_local.php' here are my imap settings:

$imapServerAddress  = 'localhost';
$imap_server_type   = 'dovecot';
$imap_auth_mech     = 'login';

worked for my squirrelmail setup, hope you get it working

-Eric


On 10/3/2018 9:18 PM, Andrew Swartz wrote:
And I'll add that at the end, with pw_clear_passwd set to null, login
succeeds via IMAP but fails via Squirrelmail.

-Andy



-------- Forwarded Message --------
Subject: Re: [qmailtoaster] dovecot
Date: Wed, 3 Oct 2018 19:12:11 -0800
From: Andrew Swartz<awswa...@acsalaska.net>
To:qmailtoaster-list@qmailtoaster.com

Eric,

With pw_clear_passwd set to '0123456789' I successfully logged in via
this technique using password '0123456789'.

I used SQL to reset pw_clear_passwd to null.

Again I successfully logged in via this technique using password
'0123456789'.


-Andy



On 10/3/2018 6:02 PM, Eric Broch wrote:
Try the CLI commands I sent. There can be issues with the configuration
of squirrelmail and roundcube.

IMAP:

# openssl s_client -crlf -connect localhost:993

imap> tag loginu...@domain.tld   $userpassword


Submission:

# cd /usr/local/bin
# wgethttp://www.jetmore.org/john/code/swaks/latest/swaks
# chown root.root swaks
# chmod +x swaks

# swaks --tosome...@remotedomain.tld  --fromu...@domain.tld  --server
$yourqmthost --port 587 --ehlo test -tls --auth login --auth-user
u...@domain.tld  --auth-password $userpassword


On 10/3/2018 7:45 PM, Andrew Swartz wrote:
Eric,

On Centos7 QMT:

I just created a new user account and set the password to '0123456789'.
Then I used your SQL command to set pw_clear_passwd to null.
Then I viewed the table to confirm it was empty (it was).
Then I tried to log in to Squirrelmail using password '0123456789':
Login failed.
Then I used your SQL command to reset pw_clear_passwd back to
'0123456789'.
Then I tried to log in to Squirrelmail using password '0123456789':
success.

This seems different from your experience.

This sucks because it seems to mean no easy fix for this problem.


-Andy




On 10/3/2018 4:24 PM, Eric Broch wrote:
I've been contacted by someone who removed the clear text password
from
an account and had issued logging into Dovecot even after a
restart. The
fix of course is to reset the password with
/home/vpopmail/bin/vpasswd.
Does anyone else want to confirm/refute my findings that w/o the clear
text password Dovecot will work?

--
Eric Broch
White Horse Technical Consulting (WHTC)



--
Eric Broch
White Horse Technical Consulting (WHTC)

Reply via email to