Re: [SOGo] Authentication using ldap-md5 password fails

2023-12-12 Thread * Neustradamus * 
Hello all,

At this time, there is no real security for password.
There is an old problem, the support for SCRAM salted hashed password has 
missing and with or without OpenLDAP.
I think it is time to add this support in SOGo for users security!

SCRAM exists since 2011.

Some informations:
- 
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism

State of Play:
- https://github.com/scram-sasl/info/issues/1

Linked to:
- https://bugs.sogo.nu/view.php?id=4869


From: users-requ...@sogo.nu  on behalf of Владимир 
Вишняков 
Sent: Tuesday, December 12, 2023 07:21
To: users@sogo.nu
Subject: [SOGo] Authentication using ldap-md5 password fails

Good afternoon
  I use a  mailcow: dockerized mail server with an integrated container SOGO. 
After the update, sogo stopped allowing users whose password hash was generated 
using the {MD5} algorithm. Users whose password is generated by {BLF-CRYPT} are 
authenticated normally. I turned on the logs, in the logs I can see access to 
the database and retrieval of the password hash, but the password is not 
accepted.

Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] 
 SQL: SELECT 
c_password FROM _sogo_static_view WHERE c_uid = 'pp_pet...@xx.xx';
Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] 
   query has 
results, entering fetch-mode.
...
 SOGoRootPage Login from 'MY.IP.AD.DR' for user 'pp_pet...@xx.xx' might not 
have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

"c_password" field on  _sogo_static_view contains hash like:
 {MD5}ZVN1hovmmV34NCxjRKIDVw==
Base64 encoded MD5 hash

userPasswordAlg setting:
userPasswordAlgoritm
ldap-md5
i also try md5

What could be the problem? Plz  help me fix it

[SOGo] SOGo and SCRAM mechanisms for security

2023-08-06 Thread * Neustradamus * 
Hello the SOGo team,

Have you progressed on SCRAM?
- https://bugs.sogo.nu//view.php?id=4869

We are in August 2023.

Thanks in advance.

Regards.

Neustradamus

[SOGo] SOGo Debian 12 Bookworm compatibility

2023-07-28 Thread * Neustradamus * 
Hello the SOGo team,

It is possible to have Debian 12 "Bookworm" compatibility?
- https://www.sogo.nu/support/faq/how-to-install-sogo-on-debian.html
- 
https://www.sogo.nu/support/faq/how-to-install-nightly-sogo-versions-on-debian.html

In more, Debian 11 "Bullseye" is not here:
- 
https://www.sogo.nu/support/faq/how-to-install-nightly-sogo-versions-on-debian.html

Thanks in advance.

Regards.

Neustradamus

[SOGo] SCRAM-SHA-1(-PLUS) to SCRAM-SHA-512(-PLUS) supports

2022-08-18 Thread * Neustradamus * 
Dear all,

After several years, can you add SCRAM-SHA-* supports because secure servers do 
not work with SOGo?

Do not forget to update the documentation after it:
- 
https://github.com/Alinto/sogo/blob/master/Documentation/SOGoInstallationGuide.asciidoc

Base:
- SCRAM-SHA-1
- SCRAM-SHA-256
- SCRAM-SHA-512

Same with TLS Channel Binding:
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-512-PLUS

History:

20 November 2008: CRAM-MD5 to Historic:
- https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00

29 June 2017: CRAM-MD5 to Historic:
- https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:
- https://tools.ietf.org/html/rfc6331

August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:
"Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was 
deprecated."
- https://tools.ietf.org/html/rfc9051

SCRAM-SHA-1(-PLUS):
- https://tools.ietf.org/html/rfc5802
- https://tools.ietf.org/html/rfc6120

SCRAM-SHA-256(-PLUS):
- https://tools.ietf.org/html/rfc7677 since 2015-11-02

SCRAM-SHA-512(-PLUS):
- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):
- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

Channel Binding:
- RFC5056: On the Use of Channel Bindings to Secure Channels: 
https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266
- 
https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml

IMAP:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: 
https://tools.ietf.org/html/rfc9051

LDAP:
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing 
Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: 
https://tools.ietf.org/html/rfc5803

HTTP:
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: 
https://tools.ietf.org/html/rfc7804

2FA:
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: 
https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: 
https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:
- https://github.com/scram-xmpp/info/issues/1
- https://bugs.sogo.nu/view.php?id=4869

Thanks in advance.

Regards,

Neustradamus