Re: Requested CRAM-MD5 scheme, but we have only CRYPT
Am 02.12.2021 um 10:11 schrieb Christian Mack: You only can use CRAM-MD5 when your authentication source provides plain passwords. And that's the biggest issue with these shared secret authentication mechanisms: that you have to store the passwords unencrypted/unsalted. Never a good idea to store passwords in plain text. Alexander
Re: Requested CRAM-MD5 scheme, but we have only CRYPT
Hello auth_mechanisms are only for encrypting passwords while authenticating. They have nothing to do with transport encryption aka TLS and STARTTLS. You only can use CRAM-MD5 when your authentication source provides plain passwords. As you use password hashes in your authentication source, you have to disable it. Else a client will try to send you the CRAM-MD encrypted password, which you can not check for validity. Hope this clears it a bit. Kind regards, Christian Mack On 01.12.21 23:26, absolutely_f...@libero.it wrote: > Hi, > I wondering if I can simply disable CRAM-MD5 and/or DIGEST-MD5. > Are they useful in case of SSL or TLS connections? > Thankyou > >> Il 01/12/2021 18:42 Aki Tuomi ha scritto: >> >> >> auth_mechanisms = plain login digest-md5 cram-md5 >> >> You still advertise them though. >> >> Aki -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416 smime.p7s Description: S/MIME Cryptographic Signature
Re: Requested CRAM-MD5 scheme, but we have only CRYPT
Hi, I wondering if I can simply disable CRAM-MD5 and/or DIGEST-MD5. Are they useful in case of SSL or TLS connections? Thankyou > Il 01/12/2021 18:42 Aki Tuomi ha scritto: > > > auth_mechanisms = plain login digest-md5 cram-md5 > > You still advertise them though. > > Aki
Re: Requested CRAM-MD5 scheme, but we have only CRYPT
auth_mechanisms = plain login digest-md5 cram-md5
You still advertise them though.
Aki
> On 01/12/2021 18:09 absolutely_f...@libero.it wrote:
>
>
> Hi,
> I use dovecot-2.3.15 with MySQL backend for authentication.
> I just converted cleartext credentials in SSHA512. Authentication
> (POP3/IMAP/Roundcube webmail) is working fine.
> I got a few users complianing about login issues with Thunderbird.
> Logs show this:
> Dec 1 16:34:52 mailserver dovecot[72554] auth-worker(72559): conn
> unix:auth-worker (uid=143): auth-worker<5294>:
> sql(u...@domain.net,xx.yy.ww.zz,): Requested CRAM-MD5
> scheme, but we have only CRYPT
> I don't understand this error. It seems I still support CRAM-MD5:
> telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+
> STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
>
> This is my conf:
>
> doveconf -n
> # 2.3.15 (0503334ab1): /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 13.0-RELEASE-p4 amd64 zfs
> # Hostname: server.domain.net
> doveconf: Warning: please set ssl_dh= doveconf: Warning: You can generate it with: dd
> if=/var/db/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform
> der > /usr/local/etc/dovecot/dh.pem
> auth_debug = yes
> auth_mechanisms = plain login digest-md5 cram-md5
> auth_verbose = yes
> default_client_limit = 2000
> default_process_limit = 500
> default_vsz_limit = 512 M
> disable_plaintext_auth = no
> first_valid_gid = 125
> first_valid_uid = 125
> imap_id_log = *
> mail_gid = 1003
> mail_location = maildir:/mail/domains
> mail_privileged_group = postfix
> mail_uid = 1003
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext
> driver = sql
> }
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> unix_listener auth-userdb {
> group = postfix
> mode = 0600
> user = postfix
> }
> }
> service imap {
> process_limit = 1024
> }
> service lmtp {
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
> }
> }
> ssl_cert = ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> userdb {
> args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext
> driver = sql
> }
> protocol imap {
> mail_max_userip_connections = 100
> }
>
> this is my dovecot-sql-crypt.conf.ext:
>
> # cat /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext
> driver=mysql
> default_pass_scheme=CRYPT
> connect= host=db.domain.net port=3306 dbname=mail user=user
> password=
> #password_query = SELECT case when crypt is not null then crypt else password
> end as password FROM `mailbox` WHERE username='%u' AND suspended='N'
> password_query = SELECT case when crypt is not null then crypt else
> password_crypt end as password FROM `mailbox` WHERE username='%u' AND
> suspended='N'
> user_query = SELECT concat('maildir:',home) as mail, 125 AS uid, 125 AS gid
> FROM mailbox WHERE username='%u' AND suspended='N'
> Thank you
Requested CRAM-MD5 scheme, but we have only CRYPT
Hi,
I use dovecot-2.3.15 with MySQL backend for authentication.
I just converted cleartext credentials in SSHA512. Authentication
(POP3/IMAP/Roundcube webmail) is working fine.
I got a few users complianing about login issues with Thunderbird.
Logs show this:
Dec 1 16:34:52 mailserver dovecot[72554] auth-worker(72559): conn
unix:auth-worker (uid=143): auth-worker<5294>:
sql(u...@domain.net,xx.yy.ww.zz,): Requested CRAM-MD5 scheme,
but we have only CRYPT
I don't understand this error. It seems I still support CRAM-MD5:
telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+
STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
This is my conf:
doveconf -n
# 2.3.15 (0503334ab1): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 13.0-RELEASE-p4 amd64 zfs
# Hostname: server.domain.net
doveconf: Warning: please set ssl_dh= /usr/local/etc/dovecot/dh.pem
auth_debug = yes
auth_mechanisms = plain login digest-md5 cram-md5
auth_verbose = yes
default_client_limit = 2000
default_process_limit = 500
default_vsz_limit = 512 M
disable_plaintext_auth = no
first_valid_gid = 125
first_valid_uid = 125
imap_id_log = *
mail_gid = 1003
mail_location = maildir:/mail/domains
mail_privileged_group = postfix
mail_uid = 1003
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /usr/local/etc/dovecot/dovecot-sql-crypt.conf.ext
driver = sql
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
}
}
service imap {
process_limit = 1024
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert =
