On 02/16/2012 02:43 PM, Peter Peltonen wrote:
Hi,
On Wed, Feb 15, 2012 at 7:26 PM, Eric Shubert<e...@shubes.net> wrote:
The other impact will be the elimination of cram-md5 as an authentication
option. While this doesn't really make QMT any less secure, it might mean
that some clients that were formerly configured to use cram-md5 would fail
to work until their configuration options were changed.
Related to this:
On my another recently new qmailtoaster server I noticed the following
after updating packages with yum:
Feb 11 12:52:02 Updated: 1:dovecot-2.0.17-1.qtp.i386
Feb 11 12:52:30 Updated: qmail-toaster-1.03-1.3.21.i686
Feb 11 12:53:07 Updated: qmailtoaster-plus-0.3.2-1.4.17.noarch
I had disabled cram-md5 from the server (as I had had issues with it
on my other toaster running Horde). in /etc/dovecot/toaster.conf:
auth_mechanisms = plain login digest-md5
But after the update logins to Squirrelmail no longer worked, this was
the error given by Squirrelmail:
ERROR:
Bad request: IMAP server does not appear to support the authentication
method selected. Please contact your system administrator.
And in dovecot.log I saw:
Feb 16 23:31:04 imap-login: Info: Disconnected (tried to use
unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1,
lip=127.0.0.1, secured
What I have in /etc/squirrelmail/config.php is:
$imap_auth_mech = 'login';
$use_imap_tls = false;
Now I am puzzled as I had the same config in dovecot/squirrelmail
before the update and things worked ok.
Here is what I see in the dovecot.log with the old version when
logging in via Squirrelmail:
Feb 16 23:40:33 imap-login: Info: Aborted login (auth failed, 1
attempts): user=<pe...@mydomain.tld>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
So no cram-md5 there.... So the situation seems to be:
* with dovecot-2.0.11-2.qtp + qmail-toaster-1.03-1.3.20 Squirrelmail
works ok without cram-md5, Horde does not work without cram-md5
* with dovecot-2.0.17-1.qtp.i386 + qmail-toaster-1.03-1.3.21.i686
Squirrelmail does not work without cram-md5, situation of Horde with
this combo is unknown to me
Has anyone any ideas why Squirrelmail started using cram-md5 after the update?
Best,
Peter
---------------------------------------------------------------------------------
Look closely at your config_local.php file for SM, just to be sure
there's not another line with cram-md5 in there.
I just had a problem today testing dovecot w/out cram-md5. I needed to
change SM's config_local.php from:
$imap_auth_mech = 'cram-md5';
to
$imap_auth_mech = 'digest-md5';
I noticed this comment I had put in there:
# 2011/09/30 - cram-md5 had intermittent failures
Just squirrelly I guess. ;)
BL, digest-md5 is working ok for me, and doesn't send passwords in the
clear. FWIW, SM v1.5.1 supports STARTTLS. This is usually not a concern
though, as SM and QMT are usually on a trusted network (if not the same
host).
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
