Re: Fwd: [qmailtoaster] dovecot
Yes On 10/4/2018 2:16 AM, Tony White wrote: Hi, If you have no clear password then vuserinfo is unable to report the user password. It will only give you the encrypted password. best wishes Tony White On 04/10/18 14:22, Andrew Swartz wrote: I ~may~ have just figured out why vpopmail stores cleartext passwords: It is so it can support CRAM-MD5. CRAM-MD5 is a challenge-response protocol used to provide privacy over unencrypted connections. The server challenges the client with a pseudorandom challenge. The client uses the password with HMAC-MD5 to hash the challenge and send it back. The server repeats the client procedure to confirm that the client used (and thus has) the correct password. But this means that the server MUST have access to the cleartext password, otherwise it cannot repeat the clients actions and confirm authentication. This cannot be accomplished with a salted hashed password. If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server does not need access to the cleartext password. Back when vpopmail was written, cleartext password storage was already out of favor. But TLS was not widely used, and the only way to not send passwords in the clear was CRAM-MD5 (or a similar scheme), and this required storing cleartext passwords. Though storing cleartext passwords is unsafe, it is much safer than sending cleartext passwords over an encrypted channel. I suspect that this is the primary reason that vpopmail primarily uses hashed passwords but supports cleartext passwords with the option to disable them. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: Hi Andy, I got it to work. In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' and make sure of 'auth_mechanisms = plain login' In '/etc/squirrelmail/config_local.php' here are my imap settings: $imapServerAddress = 'localhost'; $imap_server_type = 'dovecot'; $imap_auth_mech = 'login'; worked for my squirrelmail setup, hope you get it working -Eric On 10/3/2018 9:18 PM, Andrew Swartz wrote: And I'll add that at the end, with pw_clear_passwd set to null, login succeeds via IMAP but fails via Squirrelmail. -Andy Forwarded Message Subject: Re: [qmailtoaster] dovecot Date: Wed, 3 Oct 2018 19:12:11 -0800 From: Andrew Swartz To:qmailtoaster-list@qmailtoaster.com Eric, With pw_clear_passwd set to '0123456789' I successfully logged in via this technique using password '0123456789'. I used SQL to reset pw_clear_passwd to null. Again I successfully logged in via this technique using password '0123456789'. -Andy On 10/3/2018 6:02 PM, Eric Broch wrote: Try the CLI commands I sent. There can be issues with the configuration of squirrelmail and roundcube. IMAP: # openssl s_client -crlf -connect localhost:993 imap> tag loginu...@domain.tld $userpassword Submission: # cd /usr/local/bin # wgethttp://www.jetmore.org/john/code/swaks/latest/swaks # chown root.root swaks # chmod +x swaks # swaks --tosome...@remotedomain.tld --fromu...@domain.tld --server $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user u...@domain.tld --auth-password $userpassword On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: I've been contacted by someone who removed the clear text password from an account and had issued logging into Dovecot even after a restart. The fix of course is to reset the password with /home/vpopmail/bin/vpasswd. Does anyone else want to confirm/refute my findings that w/o the clear text password Dovecot will work? -- Eric Broch White Horse Technical Consulting (WHTC) -- Eric Broch White Horse Technical Consulting (WHTC)
Re: Fwd: [qmailtoaster] dovecot
Hi, If you have no clear password then vuserinfo is unable to report the user password. It will only give you the encrypted password. best wishes Tony White On 04/10/18 14:22, Andrew Swartz wrote: I ~may~ have just figured out why vpopmail stores cleartext passwords: It is so it can support CRAM-MD5. CRAM-MD5 is a challenge-response protocol used to provide privacy over unencrypted connections. The server challenges the client with a pseudorandom challenge. The client uses the password with HMAC-MD5 to hash the challenge and send it back. The server repeats the client procedure to confirm that the client used (and thus has) the correct password. But this means that the server MUST have access to the cleartext password, otherwise it cannot repeat the clients actions and confirm authentication. This cannot be accomplished with a salted hashed password. If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server does not need access to the cleartext password. Back when vpopmail was written, cleartext password storage was already out of favor. But TLS was not widely used, and the only way to not send passwords in the clear was CRAM-MD5 (or a similar scheme), and this required storing cleartext passwords. Though storing cleartext passwords is unsafe, it is much safer than sending cleartext passwords over an encrypted channel. I suspect that this is the primary reason that vpopmail primarily uses hashed passwords but supports cleartext passwords with the option to disable them. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: Hi Andy, I got it to work. In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' and make sure of 'auth_mechanisms = plain login' In '/etc/squirrelmail/config_local.php' here are my imap settings: $imapServerAddress = 'localhost'; $imap_server_type = 'dovecot'; $imap_auth_mech = 'login'; worked for my squirrelmail setup, hope you get it working -Eric On 10/3/2018 9:18 PM, Andrew Swartz wrote: And I'll add that at the end, with pw_clear_passwd set to null, login succeeds via IMAP but fails via Squirrelmail. -Andy Forwarded Message Subject: Re: [qmailtoaster] dovecot Date: Wed, 3 Oct 2018 19:12:11 -0800 From: Andrew Swartz To: qmailtoaster-list@qmailtoaster.com Eric, With pw_clear_passwd set to '0123456789' I successfully logged in via this technique using password '0123456789'. I used SQL to reset pw_clear_passwd to null. Again I successfully logged in via this technique using password '0123456789'. -Andy On 10/3/2018 6:02 PM, Eric Broch wrote: Try the CLI commands I sent. There can be issues with the configuration of squirrelmail and roundcube. IMAP: # openssl s_client -crlf -connect localhost:993 imap> tag login u...@domain.tld $userpassword Submission: # cd /usr/local/bin # wget http://www.jetmore.org/john/code/swaks/latest/swaks # chown root.root swaks # chmod +x swaks # swaks --to some...@remotedomain.tld --from u...@domain.tld --server $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user u...@domain.tld --auth-password $userpassword On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: I've been contacted by someone who removed the clear text password from an account and had issued logging into Dovecot even after a restart. The fix of course is to reset the password with /home/vpopmail/bin/vpasswd. Does anyone else want to confirm/refute my findings that w/o the clear text password Dovecot will work? -- Eric Broch White Horse Technical Consulting (WHTC)
Re: Fwd: [qmailtoaster] dovecot
I ~may~ have just figured out why vpopmail stores cleartext passwords: It is so it can support CRAM-MD5. CRAM-MD5 is a challenge-response protocol used to provide privacy over unencrypted connections. The server challenges the client with a pseudorandom challenge. The client uses the password with HMAC-MD5 to hash the challenge and send it back. The server repeats the client procedure to confirm that the client used (and thus has) the correct password. But this means that the server MUST have access to the cleartext password, otherwise it cannot repeat the clients actions and confirm authentication. This cannot be accomplished with a salted hashed password. If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server does not need access to the cleartext password. Back when vpopmail was written, cleartext password storage was already out of favor. But TLS was not widely used, and the only way to not send passwords in the clear was CRAM-MD5 (or a similar scheme), and this required storing cleartext passwords. Though storing cleartext passwords is unsafe, it is much safer than sending cleartext passwords over an encrypted channel. I suspect that this is the primary reason that vpopmail primarily uses hashed passwords but supports cleartext passwords with the option to disable them. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: > Hi Andy, > > I got it to work. > > In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' > > and make sure of 'auth_mechanisms = plain login' > > In '/etc/squirrelmail/config_local.php' here are my imap settings: > > $imapServerAddress = 'localhost'; > $imap_server_type = 'dovecot'; > $imap_auth_mech = 'login'; > > worked for my squirrelmail setup, hope you get it working > > -Eric > > > On 10/3/2018 9:18 PM, Andrew Swartz wrote: >> And I'll add that at the end, with pw_clear_passwd set to null, login >> succeeds via IMAP but fails via Squirrelmail. >> >> -Andy >> >> >> >> Forwarded Message >> Subject: Re: [qmailtoaster] dovecot >> Date: Wed, 3 Oct 2018 19:12:11 -0800 >> From: Andrew Swartz >> To: qmailtoaster-list@qmailtoaster.com >> >> Eric, >> >> With pw_clear_passwd set to '0123456789' I successfully logged in via >> this technique using password '0123456789'. >> >> I used SQL to reset pw_clear_passwd to null. >> >> Again I successfully logged in via this technique using password >> '0123456789'. >> >> >> -Andy >> >> >> >> On 10/3/2018 6:02 PM, Eric Broch wrote: >>> Try the CLI commands I sent. There can be issues with the configuration >>> of squirrelmail and roundcube. >>> >>> IMAP: >>> >>> # openssl s_client -crlf -connect localhost:993 >>> >>> imap> tag login u...@domain.tld $userpassword >>> >>> >>> Submission: >>> >>> # cd /usr/local/bin >>> # wget http://www.jetmore.org/john/code/swaks/latest/swaks >>> # chown root.root swaks >>> # chmod +x swaks >>> >>> # swaks --to some...@remotedomain.tld --from u...@domain.tld --server >>> $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user >>> u...@domain.tld --auth-password $userpassword >>> >>> >>> On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: > I've been contacted by someone who removed the clear text password > from > an account and had issued logging into Dovecot even after a > restart. The > fix of course is to reset the password with > /home/vpopmail/bin/vpasswd. > Does anyone else want to confirm/refute my findings that w/o the clear > text password Dovecot will work? > >>> -- >>> Eric Broch >>> White Horse Technical Consulting (WHTC) >>> >> > smime.p7s Description: S/MIME Cryptographic Signature
Re: Fwd: [qmailtoaster] dovecot
Awesome! We're golden, now we can migrate with abandon. Now to more secure passwords. On 10/3/2018 9:59 PM, Andrew Swartz wrote: Great minds think alike! I also just got Squirrelmail working with the same change to /etc/squirrelmail/config_local.php I had already done the change to toaster.conf based on a thread about 4 weeks ago. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: Hi Andy, I got it to work. In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' and make sure of 'auth_mechanisms = plain login' In '/etc/squirrelmail/config_local.php' here are my imap settings: $imapServerAddress = 'localhost'; $imap_server_type = 'dovecot'; $imap_auth_mech = 'login'; worked for my squirrelmail setup, hope you get it working -Eric On 10/3/2018 9:18 PM, Andrew Swartz wrote: And I'll add that at the end, with pw_clear_passwd set to null, login succeeds via IMAP but fails via Squirrelmail. -Andy Forwarded Message Subject: Re: [qmailtoaster] dovecot Date: Wed, 3 Oct 2018 19:12:11 -0800 From: Andrew Swartz To: qmailtoaster-list@qmailtoaster.com Eric, With pw_clear_passwd set to '0123456789' I successfully logged in via this technique using password '0123456789'. I used SQL to reset pw_clear_passwd to null. Again I successfully logged in via this technique using password '0123456789'. -Andy On 10/3/2018 6:02 PM, Eric Broch wrote: Try the CLI commands I sent. There can be issues with the configuration of squirrelmail and roundcube. IMAP: # openssl s_client -crlf -connect localhost:993 imap> tag login u...@domain.tld $userpassword Submission: # cd /usr/local/bin # wget http://www.jetmore.org/john/code/swaks/latest/swaks # chown root.root swaks # chmod +x swaks # swaks --to some...@remotedomain.tld --from u...@domain.tld --server $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user u...@domain.tld --auth-password $userpassword On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: I've been contacted by someone who removed the clear text password from an account and had issued logging into Dovecot even after a restart. The fix of course is to reset the password with /home/vpopmail/bin/vpasswd. Does anyone else want to confirm/refute my findings that w/o the clear text password Dovecot will work? -- Eric Broch White Horse Technical Consulting (WHTC) -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: Fwd: [qmailtoaster] dovecot
Great minds think alike! I also just got Squirrelmail working with the same change to /etc/squirrelmail/config_local.php I had already done the change to toaster.conf based on a thread about 4 weeks ago. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: > Hi Andy, > > I got it to work. > > In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' > > and make sure of 'auth_mechanisms = plain login' > > In '/etc/squirrelmail/config_local.php' here are my imap settings: > > $imapServerAddress = 'localhost'; > $imap_server_type = 'dovecot'; > $imap_auth_mech = 'login'; > > worked for my squirrelmail setup, hope you get it working > > -Eric > > > On 10/3/2018 9:18 PM, Andrew Swartz wrote: >> And I'll add that at the end, with pw_clear_passwd set to null, login >> succeeds via IMAP but fails via Squirrelmail. >> >> -Andy >> >> >> >> Forwarded Message >> Subject: Re: [qmailtoaster] dovecot >> Date: Wed, 3 Oct 2018 19:12:11 -0800 >> From: Andrew Swartz >> To: qmailtoaster-list@qmailtoaster.com >> >> Eric, >> >> With pw_clear_passwd set to '0123456789' I successfully logged in via >> this technique using password '0123456789'. >> >> I used SQL to reset pw_clear_passwd to null. >> >> Again I successfully logged in via this technique using password >> '0123456789'. >> >> >> -Andy >> >> >> >> On 10/3/2018 6:02 PM, Eric Broch wrote: >>> Try the CLI commands I sent. There can be issues with the configuration >>> of squirrelmail and roundcube. >>> >>> IMAP: >>> >>> # openssl s_client -crlf -connect localhost:993 >>> >>> imap> tag login u...@domain.tld $userpassword >>> >>> >>> Submission: >>> >>> # cd /usr/local/bin >>> # wget http://www.jetmore.org/john/code/swaks/latest/swaks >>> # chown root.root swaks >>> # chmod +x swaks >>> >>> # swaks --to some...@remotedomain.tld --from u...@domain.tld --server >>> $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user >>> u...@domain.tld --auth-password $userpassword >>> >>> >>> On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: > I've been contacted by someone who removed the clear text password > from > an account and had issued logging into Dovecot even after a > restart. The > fix of course is to reset the password with > /home/vpopmail/bin/vpasswd. > Does anyone else want to confirm/refute my findings that w/o the clear > text password Dovecot will work? > >>> -- >>> Eric Broch >>> White Horse Technical Consulting (WHTC) >>> >> > smime.p7s Description: S/MIME Cryptographic Signature
Re: Fwd: [qmailtoaster] dovecot
Hi Andy, I got it to work. In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' and make sure of 'auth_mechanisms = plain login' In '/etc/squirrelmail/config_local.php' here are my imap settings: $imapServerAddress = 'localhost'; $imap_server_type = 'dovecot'; $imap_auth_mech = 'login'; worked for my squirrelmail setup, hope you get it working -Eric On 10/3/2018 9:18 PM, Andrew Swartz wrote: And I'll add that at the end, with pw_clear_passwd set to null, login succeeds via IMAP but fails via Squirrelmail. -Andy Forwarded Message Subject: Re: [qmailtoaster] dovecot Date: Wed, 3 Oct 2018 19:12:11 -0800 From: Andrew Swartz To: qmailtoaster-list@qmailtoaster.com Eric, With pw_clear_passwd set to '0123456789' I successfully logged in via this technique using password '0123456789'. I used SQL to reset pw_clear_passwd to null. Again I successfully logged in via this technique using password '0123456789'. -Andy On 10/3/2018 6:02 PM, Eric Broch wrote: Try the CLI commands I sent. There can be issues with the configuration of squirrelmail and roundcube. IMAP: # openssl s_client -crlf -connect localhost:993 imap> tag login u...@domain.tld $userpassword Submission: # cd /usr/local/bin # wget http://www.jetmore.org/john/code/swaks/latest/swaks # chown root.root swaks # chmod +x swaks # swaks --to some...@remotedomain.tld --from u...@domain.tld --server $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user u...@domain.tld --auth-password $userpassword On 10/3/2018 7:45 PM, Andrew Swartz wrote: Eric, On Centos7 QMT: I just created a new user account and set the password to '0123456789'. Then I used your SQL command to set pw_clear_passwd to null. Then I viewed the table to confirm it was empty (it was). Then I tried to log in to Squirrelmail using password '0123456789': Login failed. Then I used your SQL command to reset pw_clear_passwd back to '0123456789'. Then I tried to log in to Squirrelmail using password '0123456789': success. This seems different from your experience. This sucks because it seems to mean no easy fix for this problem. -Andy On 10/3/2018 4:24 PM, Eric Broch wrote: I've been contacted by someone who removed the clear text password from an account and had issued logging into Dovecot even after a restart. The fix of course is to reset the password with /home/vpopmail/bin/vpasswd. Does anyone else want to confirm/refute my findings that w/o the clear text password Dovecot will work? -- Eric Broch White Horse Technical Consulting (WHTC) -- Eric Broch White Horse Technical Consulting (WHTC) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
