Re: [SOGo] Authentication using ldap-md5 password fails
Hello all, At this time, there is no real security for password. There is an old problem, the support for SCRAM salted hashed password has missing and with or without OpenLDAP. I think it is time to add this support in SOGo for users security! SCRAM exists since 2011. Some informations: - https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism State of Play: - https://github.com/scram-sasl/info/issues/1 Linked to: - https://bugs.sogo.nu/view.php?id=4869 From: users-requ...@sogo.nu on behalf of Владимир Вишняков Sent: Tuesday, December 12, 2023 07:21 To: users@sogo.nu Subject: [SOGo] Authentication using ldap-md5 password fails Good afternoon I use a mailcow: dockerized mail server with an integrated container SOGO. After the update, sogo stopped allowing users whose password hash was generated using the {MD5} algorithm. Users whose password is generated by {BLF-CRYPT} are authenticated normally. I turned on the logs, in the logs I can see access to the database and retrieval of the password hash, but the password is not accepted. Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] SQL: SELECT c_password FROM _sogo_static_view WHERE c_uid = 'pp_pet...@xx.xx'; Dec 12 10:26:01 260deb884b40 2023-12-12 10:26:01.627 sogod[69:69] query has results, entering fetch-mode. ... SOGoRootPage Login from 'MY.IP.AD.DR' for user 'pp_pet...@xx.xx' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 "c_password" field on _sogo_static_view contains hash like: {MD5}ZVN1hovmmV34NCxjRKIDVw== Base64 encoded MD5 hash userPasswordAlg setting: userPasswordAlgoritm ldap-md5 i also try md5 What could be the problem? Plz help me fix it
[SOGo] SOGo and SCRAM mechanisms for security
Hello the SOGo team, Have you progressed on SCRAM? - https://bugs.sogo.nu//view.php?id=4869 We are in August 2023. Thanks in advance. Regards. Neustradamus
[SOGo] SOGo Debian 12 Bookworm compatibility
Hello the SOGo team, It is possible to have Debian 12 "Bookworm" compatibility? - https://www.sogo.nu/support/faq/how-to-install-sogo-on-debian.html - https://www.sogo.nu/support/faq/how-to-install-nightly-sogo-versions-on-debian.html In more, Debian 11 "Bullseye" is not here: - https://www.sogo.nu/support/faq/how-to-install-nightly-sogo-versions-on-debian.html Thanks in advance. Regards. Neustradamus
[SOGo] SCRAM-SHA-1(-PLUS) to SCRAM-SHA-512(-PLUS) supports
Dear all, After several years, can you add SCRAM-SHA-* supports because secure servers do not work with SOGo? Do not forget to update the documentation after it: - https://github.com/Alinto/sogo/blob/master/Documentation/SOGoInstallationGuide.asciidoc Base: - SCRAM-SHA-1 - SCRAM-SHA-256 - SCRAM-SHA-512 Same with TLS Channel Binding: - SCRAM-SHA-1-PLUS - SCRAM-SHA-256-PLUS - SCRAM-SHA-512-PLUS History: 20 November 2008: CRAM-MD5 to Historic: - https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 29 June 2017: CRAM-MD5 to Historic: - https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00 July 2011: RFC6331: Moving DIGEST-MD5 to Historic: - https://tools.ietf.org/html/rfc6331 August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: "Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was deprecated." - https://tools.ietf.org/html/rfc9051 SCRAM-SHA-1(-PLUS): - https://tools.ietf.org/html/rfc5802 - https://tools.ietf.org/html/rfc6120 SCRAM-SHA-256(-PLUS): - https://tools.ietf.org/html/rfc7677 since 2015-11-02 SCRAM-SHA-512(-PLUS): - https://tools.ietf.org/html/draft-melnikov-scram-sha-512 SCRAM-SHA3-512(-PLUS): - https://tools.ietf.org/html/draft-melnikov-scram-sha3-512 Channel Binding: - RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 - RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 - RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 - https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml IMAP: - RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 LDAP: - RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 HTTP: - RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804 2FA: - Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa IANA: - Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml Linked to: - https://github.com/scram-xmpp/info/issues/1 - https://bugs.sogo.nu/view.php?id=4869 Thanks in advance. Regards, Neustradamus