[vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
Hi all, I'm currently fine-tuning my qmail + vpopmail + Dovecot + MySQL installation and I believe I've run into a problem. Dovecot is servicing both IMAP and POP3, using MySQL as the authentication middle-man. It seems however that vpopmail is storing its passwords as MD5-CRYPT in the MySQL tables, while I want Dovecot to use CRAM-MD5. This seems to be the most used authentication scheme by far, and I'd like to avoid using PLAIN or LOGIN authentications as they're not up to my security standards. When I try setting default_pass_scheme = CRAM-MD5 in dovecot-sql.conf, Dovecot's auth worker complains with the following line: Dec 11 12:31:52 onion dovecot: auth-worker(default): sql(r...@greyhat.nl,127.0.0.1): Password in passdb is not in expected scheme CRAM-MD5 Which makes sense, because the passwords are stored as MD5-CRYPT by vpopmail. I assume that my setup is not unique in its kind, which makes me wonder what I'm doing wrong here! Any insights on how to make this work using CRAM-MD5 passwords throughout the whole system would be greatly appreciated. Bye, Ro !DSPAM:4b223afe32716543717066!
Re: [vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
Ro Achterberg wrote: Hi all, I'm currently fine-tuning my qmail + vpopmail + Dovecot + MySQL installation and I believe I've run into a problem. Dovecot is servicing both IMAP and POP3, using MySQL as the authentication middle-man. It seems however that vpopmail is storing its passwords as MD5-CRYPT in the MySQL tables, while I want Dovecot to use CRAM-MD5. This seems to be the most used authentication scheme by far, and I'd like to avoid using PLAIN or LOGIN authentications as they're not up to my security standards. When I try setting default_pass_scheme = CRAM-MD5 in dovecot-sql.conf, Dovecot's auth worker complains with the following line: Dec 11 12:31:52 onion dovecot: auth-worker(default): sql(r...@greyhat.nl,127.0.0.1): Password in passdb is not in expected scheme CRAM-MD5 Which makes sense, because the passwords are stored as MD5-CRYPT by vpopmail. I assume that my setup is not unique in its kind, which makes me wonder what I'm doing wrong here! Any insights on how to make this work using CRAM-MD5 passwords throughout the whole system would be greatly appreciated. Bye, Ro You will need to enable plain text passwords in the database to be able to use cram-md5. !DSPAM:4b2258e232711690019057!
Re: [vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
At 15:36 11-12-2009, Shane Chrisp wrote: Ro Achterberg wrote: Hi all, I'm currently fine-tuning my qmail + vpopmail + Dovecot + MySQL installation and I believe I've run into a problem. Dovecot is servicing both IMAP and POP3, using MySQL as the authentication middle-man. It seems however that vpopmail is storing its passwords as MD5-CRYPT in the MySQL tables, while I want Dovecot to use CRAM-MD5. This seems to be the most used authentication scheme by far, and I'd like to avoid using PLAIN or LOGIN authentications as they're not up to my security standards. When I try setting default_pass_scheme = CRAM-MD5 in dovecot-sql.conf, Dovecot's auth worker complains with the following line: Dec 11 12:31:52 onion dovecot: auth-worker(default): sql(r...@greyhat.nl,127.0.0.1): Password in passdb is not in expected scheme CRAM-MD5 Which makes sense, because the passwords are stored as MD5-CRYPT by vpopmail. I assume that my setup is not unique in its kind, which makes me wonder what I'm doing wrong here! Any insights on how to make this work using CRAM-MD5 passwords throughout the whole system would be greatly appreciated. Bye, Ro You will need to enable plain text passwords in the database to be able to use cram-md5. In dovecot-sql.conf, I tried setting default_pass_scheme to both PLAIN and PLAIN-MD5, but none of which seemed to work. I'm probably missing the point. Did you perhaps mean to have vpopmail store the user passwords in plain text? I'm just checking, because to me it seems to lower security and it seems to defeat the purpose of working with hashed passwords. Could you please confirm this? Bye, Ro !DSPAM:4b225df432711468934747!
Re: [vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
Ro Achterberg wrote: You will need to enable plain text passwords in the database to be able to use cram-md5. In dovecot-sql.conf, I tried setting default_pass_scheme to both PLAIN and PLAIN-MD5, but none of which seemed to work. I'm probably missing the point. Did you perhaps mean to have vpopmail store the user passwords in plain text? I'm just checking, because to me it seems to lower security and it seems to defeat the purpose of working with hashed passwords. Could you please confirm this? Yes, thats what I meant by my comment. You need the plain text passwords in the vpopmail database. Having plain text passwords in the database doesn't necessarily lower the security as your database can be on a host which is not accessable to anything by the authenticating machine. Shane !DSPAM:4b22602a32711774717678!
Re: [vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
At 16:07 11-12-2009, Shane Chrisp wrote: Ro Achterberg wrote: You will need to enable plain text passwords in the database to be able to use cram-md5. In dovecot-sql.conf, I tried setting default_pass_scheme to both PLAIN and PLAIN-MD5, but none of which seemed to work. I'm probably missing the point. Did you perhaps mean to have vpopmail store the user passwords in plain text? I'm just checking, because to me it seems to lower security and it seems to defeat the purpose of working with hashed passwords. Could you please confirm this? Yes, thats what I meant by my comment. You need the plain text passwords in the vpopmail database. Having plain text passwords in the database doesn't necessarily lower the security as your database can be on a host which is not accessable to anything by the authenticating machine. Shane Thanks, I'll be trying that now. I agree with you on the security impact if you in fact had the luxury of building a setup like that. Unfortuntaly though, my colo box provides for a lot more than just an e-mail authentication backend. I do however have it tightly locked down in a rather complex chrooted setup on top of a grsec hardened kernel, so I won't be worrying about it too much. Thanks for your help! Bye, Ro !DSPAM:4b2262ce32718688460864!
Re: [vchkpw] vpopmail + Dovecot + CRAM-MD5 problem
Did you perhaps mean to have vpopmail store the user passwords in plain text? I'm just checking, because to me it seems to lower security and it seems to defeat the purpose of working with hashed passwords. Could you please confirm this? Yes, thats what I meant by my comment. You need the plain text passwords in the vpopmail database. Having plain text passwords in the database doesn't necessarily lower the security as your database can be on a host which is not accessable to anything by the authenticating machine. Just to elaborate on the point, CRAM-MD5 authentication REQUIRES that the passwords be stored as plaintext, as that's the only way to verify the MD5 hash provided by the client. Server send the seed string, client concatenates the seed and password (and maybe username, don't remember), and sends the MD5 hash of that. Server then concats the seed it sent with the known plaintext password and compares the MD5 hash it comes up with to that which the client sends. It's a tradeoff - keeping plaintext passwords on a (hopefully) secure server vs allowing the client to send the password in plaintext over the network (though possibly over an encrypted channel). I like it, but YMMV. Josh Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics vpopm...@honorablemenschen.com !DSPAM:4b22669432713716511896!
