I ~may~ have just figured out why vpopmail stores cleartext passwords:
It is so it can support CRAM-MD5.
CRAM-MD5 is a challenge-response protocol used to provide privacy over
unencrypted connections. The server challenges the client with a
pseudorandom challenge. The client uses the password w
how do we address the new users?
Clear passwords still be set.. Eric, are you going to patch it to disable clear
password on vpopmail?
Ciao,
Remo
--
> On Wednesday, Oct 03, 2018 at 20:51, Eric Broch (mailto:ebr...@whitehorsetc.com)> wrote:
> Hi Andy,
>
> I got it to work.
>
> In '/etc/dovecot
Awesome! We're golden, now we can migrate with abandon. Now to more
secure passwords.
On 10/3/2018 9:59 PM, Andrew Swartz wrote:
Great minds think alike!
I also just got Squirrelmail working with the same change to
/etc/squirrelmail/config_local.php
I had already done the change to toaster.c
Great minds think alike!
I also just got Squirrelmail working with the same change to
/etc/squirrelmail/config_local.php
I had already done the change to toaster.conf based on a thread about 4
weeks ago.
-Andy
On 10/3/2018 7:51 PM, Eric Broch wrote:
> Hi Andy,
>
> I got it to work.
>
> In '/
Hi Andy,
I got it to work.
In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir'
and make sure of 'auth_mechanisms = plain login'
In '/etc/squirrelmail/config_local.php' here are my imap settings:
$imapServerAddress = 'localhost';
$imap_server_type = 'dovecot';
$imap_auth_
Eric,
With pw_clear_passwd set to '0123456789' I successfully logged in via
this technique using password '0123456789'.
I used SQL to reset pw_clear_passwd to null.
Again I successfully logged in via this technique using password
'0123456789'.
-Andy
On 10/3/2018 6:02 PM, Eric Broch wrote:
>
And I'll add that at the end, with pw_clear_passwd set to null, login
succeeds via IMAP but fails via Squirrelmail.
-Andy
Forwarded Message
Subject: Re: [qmailtoaster] dovecot
Date: Wed, 3 Oct 2018 19:12:11 -0800
From: Andrew Swartz
To: qmailtoaster-list@qmailtoaster.com
Eri
Or all one command (will close connection):
bash -c 'echo "tag login t...@test.test.test.com 012345678"; while read
x; do echo "$x"; done' | openssl s_client -crlf -connect localhost:993
On 10/3/2018 7:45 PM, Andrew Swartz wrote:
Eric,
On Centos7 QMT:
I just created a new user account and
Make sure your dovecot toaster.conf file has auth_mech = login plain,
remove digest-md5 and cram-md5, I'm VERY sure these are settings in each.
Make sure that Squirrelmail and Roundcube use login.
On 10/3/2018 8:03 PM, Eric Broch wrote:
I'd REALLY be surprised if there were a problem.
On 1
I have tested on my side, and the only thing is make sure that roundcube does
not use the default auth with is set to null, I changed it to LOGIN, the new
version is using the defaults.inc.php the older version is using the
config.inc.php. (I am using 1.3.7 now).
Other than that looks like the u
I'd REALLY be surprised if there were a problem.
On 10/3/2018 8:02 PM, Eric Broch wrote:
Try the CLI commands I sent. There can be issues with the
configuration of squirrelmail and roundcube.
IMAP:
# openssl s_client -crlf -connect localhost:993
imap> tag login u...@domain.tld $userpasswo
Try the CLI commands I sent. There can be issues with the configuration
of squirrelmail and roundcube.
IMAP:
# openssl s_client -crlf -connect localhost:993
imap> tag login u...@domain.tld $userpassword
Submission:
# cd /usr/local/bin
# wget http://www.jetmore.org/john/code/swaks/latest/sw
Eric,
On Centos7 QMT:
I just created a new user account and set the password to '0123456789'.
Then I used your SQL command to set pw_clear_passwd to null.
Then I viewed the table to confirm it was empty (it was).
Then I tried to log in to Squirrelmail using password '0123456789':
Login failed.
Th
Everything seems to be okay...just some roundcube settings.
But, you can test IMAP and Submssion from the command line as follows:
IMAP:
# openssl s_client -crlf -connect localhost:993
imap> tag login u...@domain.tld $userpassword
Submission:
# cd /usr/local/bin
# wget http://www.jetmore.o
I've been contacted by someone who removed the clear text password from
an account and had issued logging into Dovecot even after a restart. The
fix of course is to reset the password with /home/vpopmail/bin/vpasswd.
Does anyone else want to confirm/refute my findings that w/o the clear
text pa
It's not something I would do, but I thought others would cringe at
removing them all.
On 10/3/2018 5:36 PM, Andrew Swartz wrote:
Eric,
I am missing something: what is the utility of keeping the plaintext
passwords for any of the accounts if QMT is 100% functional without them?
I cringe whe
Eric,
I am missing something: what is the utility of keeping the plaintext
passwords for any of the accounts if QMT is 100% functional without them?
I cringe when I use WebMin to click to view the vpopmail database and
literally scroll through cleartext passwords.
-Andy
On 10/3/2018 2:36 PM
I guess that a couple of lines could be add to the script below to test
if the clear text password with the extracted salt match the hashed
password (see below). If so skip the user/domain entry. If not set clear
text password to 'null'
if [ $hashedpasswd != `openssl passwd -1 -salt $usersalt
Vpopmail used MD5 by default, and DES the former is disabled.
On 10/3/2018 4:15 PM, Andrew Swartz wrote:
Dan,
Good explanations of how the crypted password contains the hash
specification and the salt. Thank you. I looked through the dovecot
documentation, and they describe the $1$ through $
Dan,
Good explanations of how the crypted password contains the hash
specification and the salt. Thank you. I looked through the dovecot
documentation, and they describe the $1$ through $6$ just as you did.
Therefore this seems a generally accepted password storage format.
However, I just searc
If the clear text field is empty, Dovecot will use the Hash. Always
backup first, though.
On 10/3/2018 4:07 PM, Dan McAllister - QMT DNS wrote:
CAUTION:
If we've already determined that Dovecot uses the cleartext field, wouldn't
clearing those fields remove users' Dovecot passwords?
Dan
--
In the mean time, I've written a script to null the clear text pwd
field, look at it, TEST IT, add suggestions, and use at your own risk:
IFS=$'\n'
pass=`cat pfile`
for domain in `echo "show tables" | mysql -u root -p$pass vpopmail |
grep -v dir_control | grep -v Tables_in_vpopmail | grep -v
The newer DoveCot IMAP server "appears" to be authenticating against the
cleartext password
It does. I checked the code.
I've submitted a question to the Dovecot mailing list concerning this,
that is, whether there is a configuration option to authorize against
the hash, or whether there is a
+1
> On Oct 3, 2018, at 12:35, Dan McAllister - QMT DNS wrote:
>
> I have read this thread somewhat thoroughly, but not particularly carefully.
> But, that being said... unless I missed something, here's my take:
> - QMail "proper" (that is, the SMTP servers) already "properly" authenticates
24 matches
Mail list logo
