Re: [qmailtoaster] Re: Authentication methods
Hi, On Fri, Feb 17, 2012 at 2:14 AM, Eric Shubert e...@shubes.net wrote: Have you restarted apache since changing the SM config file? I had not but tried it now. I also read from SM docs: Digest-MD5 authentication needs PHP XML extension. If you have the mhash extension to PHP, it will automatically be used, which may help performance on heavily loaded servers. IMAP server support for these methods. I did not have php-xml nor php-mhash installed, so I installed them with yum and restarted Apache. [root@ol ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; But still cram-md5 is used as login fails and in the dovecot log I see: Feb 17 09:56:04 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured I would be interested in hearing about other people's configs / software versions, if they are using succesfully digest-md5 with SquirrelMail? Best, Peter - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On Friday 17 February 2012 01:33 PM, Peter Peltonen wrote: Hi, On Fri, Feb 17, 2012 at 2:14 AM, Eric Shuberte...@shubes.net wrote: Have you restarted apache since changing the SM config file? I had not but tried it now. I also read from SM docs: Digest-MD5 authentication needs PHP XML extension. If you have the mhash extension to PHP, it will automatically be used, which may help performance on heavily loaded servers. IMAP server support for these methods. I did not have php-xml nor php-mhash installed, so I installed them with yum and restarted Apache. [root@ol ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; But still cram-md5 is used as login fails and in the dovecot log I see: Feb 17 09:56:04 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured I would be interested in hearing about other people's configs / software versions, if they are using succesfully digest-md5 with SquirrelMail? I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Feb 17 15:51:58 imap-login: Info: Login: user=x...@example.com, method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, mpid=14232, secured Feb 17 15:51:58 imap(x...@example.com): Info: Disconnected: Logged out bytes=311/3852 Bharath Bharath - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
Hi! On Fri, Feb 17, 2012 at 12:28 PM, Bharath Chari qmailtoas...@arachnis.com wrote: I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Stupid me! It's been such a long time since I've touched SquirrelMail configuration that I wasn't even aware that there was a /etc/squirrelmail/config_local.php file And yes, that was overriding the config.php Setting digest-md5 as auth method there works just fine. Good, now I feel confident enought to update my prod server. Thanks, Peter - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On Friday 17 February 2012 04:50 PM, Peter Peltonen wrote: Hi! On Fri, Feb 17, 2012 at 12:28 PM, Bharath Chari qmailtoas...@arachnis.com wrote: I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Stupid me! It's been such a long time since I've touched SquirrelMail configuration that I wasn't even aware that there was a /etc/squirrelmail/config_local.php file And yes, that was overriding the config.php Setting digest-md5 as auth method there works just fine. Good, now I feel confident enought to update my prod server. Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) Bharath - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/17/2012 04:37 AM, Bharath Chari wrote: Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). I'd like to get the infrastructure transition closer to completion before doing much with this, but perhaps it's not too soon to discuss some ideas. Let's take this up on the devel list. I'll try to get a thread started today. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
Eric Shubert wrote: I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). My recollection of horde is that it's a horror to install and administer, but I may be behind the times. Atmail and Roundcube are pretty, but last time I looked at them (which admittedly was a while ago) they both had some odd glitches. Maybe I should take another look. Squirrelmail has at least the virtue of simplicity. Just my 2c. Angus - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/17/2012 10:01 AM, Angus McIntyre wrote: Eric Shubert wrote: I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). My recollection of horde is that it's a horror to install and administer, but I may be behind the times. Atmail and Roundcube are pretty, but last time I looked at them (which admittedly was a while ago) they both had some odd glitches. Maybe I should take another look. Squirrelmail has at least the virtue of simplicity. Just my 2c. Angus Angus, If you're not already on the devel list, please join us there. We'd love to have your participation with future developments. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On 02/17/2012 08:46 AM, Eric Shubert wrote: On 02/17/2012 04:37 AM, Bharath Chari wrote: Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). I'd like to get the infrastructure transition closer to completion before doing much with this, but perhaps it's not too soon to discuss some ideas. Let's take this up on the devel list. I'll try to get a thread started today. I'll second the difficulty level with Horde. While feature rich, it's a PITA to set up and keep working. I currently use RoundCube. It's pretty simple and straight forward to setup and install. Has some limitations, but nothing too serious. While SM works well it's interface is outdated, although Nutsmail is an option. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/16/2012 09:48 PM, Pak Ogah wrote: On 02/16/12 0:26, Eric Shubert wrote: As part of the upgrade to vpopmail, we're considering removing clear text passwords from the database. This will improve security, but at the same time remove some (somewhat insecure) capabilitiy. The biggest impact I think this will have is that admins will no longer be able to look up someone's password. In the event that a user loses their password, the administrator would reset the password to something temporary, and the user would subsequently change it to whatever they like. This is the practice followed in many (if not most) other environments. I use clear text password for: - if my manager asked by his superior/co-manager to peek his sub-ordinate email-account This can be done more securely by using taps (http://wiki.qmailtoaster.com/index.php/Taps). If taps has not been activated yet, the system admin could grep through a user's email. That would be up to the system admin's discretion. Companies should have a policy regarding email that does not include the compromising of passwords. - jabberd authentication by creating a view on vpopmail's table Which jabberd implementation/version are you using? If you use ejabberd, you might try this: http://www.ejabberd.im/check_vpopmail Or, this appears to use hashed passwords: http://www.ejabberd.im/check_mysql_python Or, you might have ejabberd validate via dovecot: http://www.ejabberd.im/files/contributions/check_dovecot.pl.txt I think that there is most likely a way to use vpopmail's database for your jabberd authentication without needing clear text passwords. We may be of more help if when you tell us your specific jabberd setup. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/16/2012 02:43 PM, Peter Peltonen wrote: Hi, On Wed, Feb 15, 2012 at 7:26 PM, Eric Shuberte...@shubes.net wrote: The other impact will be the elimination of cram-md5 as an authentication option. While this doesn't really make QMT any less secure, it might mean that some clients that were formerly configured to use cram-md5 would fail to work until their configuration options were changed. Related to this: On my another recently new qmailtoaster server I noticed the following after updating packages with yum: Feb 11 12:52:02 Updated: 1:dovecot-2.0.17-1.qtp.i386 Feb 11 12:52:30 Updated: qmail-toaster-1.03-1.3.21.i686 Feb 11 12:53:07 Updated: qmailtoaster-plus-0.3.2-1.4.17.noarch I had disabled cram-md5 from the server (as I had had issues with it on my other toaster running Horde). in /etc/dovecot/toaster.conf: auth_mechanisms = plain login digest-md5 But after the update logins to Squirrelmail no longer worked, this was the error given by Squirrelmail: ERROR: Bad request: IMAP server does not appear to support the authentication method selected. Please contact your system administrator. And in dovecot.log I saw: Feb 16 23:31:04 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured What I have in /etc/squirrelmail/config.php is: $imap_auth_mech = 'login'; $use_imap_tls = false; Now I am puzzled as I had the same config in dovecot/squirrelmail before the update and things worked ok. Here is what I see in the dovecot.log with the old version when logging in via Squirrelmail: Feb 16 23:40:33 imap-login: Info: Aborted login (auth failed, 1 attempts): user=pe...@mydomain.tld, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured So no cram-md5 there So the situation seems to be: * with dovecot-2.0.11-2.qtp + qmail-toaster-1.03-1.3.20 Squirrelmail works ok without cram-md5, Horde does not work without cram-md5 * with dovecot-2.0.17-1.qtp.i386 + qmail-toaster-1.03-1.3.21.i686 Squirrelmail does not work without cram-md5, situation of Horde with this combo is unknown to me Has anyone any ideas why Squirrelmail started using cram-md5 after the update? Best, Peter - Look closely at your config_local.php file for SM, just to be sure there's not another line with cram-md5 in there. I just had a problem today testing dovecot w/out cram-md5. I needed to change SM's config_local.php from: $imap_auth_mech = 'cram-md5'; to $imap_auth_mech = 'digest-md5'; I noticed this comment I had put in there: # 2011/09/30 - cram-md5 had intermittent failures Just squirrelly I guess. ;) BL, digest-md5 is working ok for me, and doesn't send passwords in the clear. FWIW, SM v1.5.1 supports STARTTLS. This is usually not a concern though, as SM and QMT are usually on a trusted network (if not the same host). -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
Hi, On Fri, Feb 17, 2012 at 12:07 AM, Eric Shubert e...@shubes.net wrote: Look closely at your config_local.php file for SM, just to be sure there's not another line with cram-md5 in there. No there is not. This is the default qmailtoaster configuration, I don't remember ever touching it: [root@ol ~]# grep md5 /etc/squirrelmail/config.php outputs nothing Same output (nothing) on my other server running the previous version. On the updated server I changed SM's auth to digest-md5, removed cram-md5 from dovecot's conf: [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; [root@ol ~]# grep md5 /etc/dovecot/toaster.conf #auth_mechanisms = plain login digest-md5 cram-md5 auth_mechanisms = plain login digest-md5 restarted Dovecot and made sure cram-md5 was disabled: [root@ol ~]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5] Dovecot toaster ready. and tried logging in from SM, which resulted again in: Feb 17 00:18:02 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured Why is SM trying to use cram-md5 even if its configured to use digest-md5 ? This the SM I have installed: [root@ol ~]# rpm -qa |grep squirrel squirrelmail-toaster-1.4.20-1.3.17 Can someone else reproduce this behaviour? Regards, Peter - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/16/2012 03:26 PM, Peter Peltonen wrote: Hi, On Fri, Feb 17, 2012 at 12:07 AM, Eric Shuberte...@shubes.net wrote: Look closely at your config_local.php file for SM, just to be sure there's not another line with cram-md5 in there. No there is not. This is the default qmailtoaster configuration, I don't remember ever touching it: [root@ol ~]# grep md5 /etc/squirrelmail/config.php outputs nothing Same output (nothing) on my other server running the previous version. On the updated server I changed SM's auth to digest-md5, removed cram-md5 from dovecot's conf: [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; [root@ol ~]# grep md5 /etc/dovecot/toaster.conf #auth_mechanisms = plain login digest-md5 cram-md5 auth_mechanisms = plain login digest-md5 restarted Dovecot and made sure cram-md5 was disabled: [root@ol ~]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5] Dovecot toaster ready. and tried logging in from SM, which resulted again in: Feb 17 00:18:02 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured Why is SM trying to use cram-md5 even if its configured to use digest-md5 ? This the SM I have installed: [root@ol ~]# rpm -qa |grep squirrel squirrelmail-toaster-1.4.20-1.3.17 Can someone else reproduce this behaviour? Regards, Peter - Have you restarted apache since changing the SM config file? -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
