I ~may~ have just figured out why vpopmail stores cleartext passwords: It is so it can support CRAM-MD5.
CRAM-MD5 is a challenge-response protocol used to provide privacy over unencrypted connections. The server challenges the client with a pseudorandom challenge. The client uses the password with HMAC-MD5 to hash the challenge and send it back. The server repeats the client procedure to confirm that the client used (and thus has) the correct password. But this means that the server MUST have access to the cleartext password, otherwise it cannot repeat the clients actions and confirm authentication. This cannot be accomplished with a salted hashed password. If you remove the use of CRAM-MD5 and use PLAIN or LOGIN, the server does not need access to the cleartext password. Back when vpopmail was written, cleartext password storage was already out of favor. But TLS was not widely used, and the only way to not send passwords in the clear was CRAM-MD5 (or a similar scheme), and this required storing cleartext passwords. Though storing cleartext passwords is unsafe, it is much safer than sending cleartext passwords over an encrypted channel. I suspect that this is the primary reason that vpopmail primarily uses hashed passwords but supports cleartext passwords with the option to disable them. -Andy On 10/3/2018 7:51 PM, Eric Broch wrote: > Hi Andy, > > I got it to work. > > In '/etc/dovecot/toaster.conf' add 'mail_location = maildir:~/Maildir' > > and make sure of 'auth_mechanisms = plain login' > > In '/etc/squirrelmail/config_local.php' here are my imap settings: > > $imapServerAddress = 'localhost'; > $imap_server_type = 'dovecot'; > $imap_auth_mech = 'login'; > > worked for my squirrelmail setup, hope you get it working > > -Eric > > > On 10/3/2018 9:18 PM, Andrew Swartz wrote: >> And I'll add that at the end, with pw_clear_passwd set to null, login >> succeeds via IMAP but fails via Squirrelmail. >> >> -Andy >> >> >> >> -------- Forwarded Message -------- >> Subject: Re: [qmailtoaster] dovecot >> Date: Wed, 3 Oct 2018 19:12:11 -0800 >> From: Andrew Swartz <awswa...@acsalaska.net> >> To: qmailtoaster-list@qmailtoaster.com >> >> Eric, >> >> With pw_clear_passwd set to '0123456789' I successfully logged in via >> this technique using password '0123456789'. >> >> I used SQL to reset pw_clear_passwd to null. >> >> Again I successfully logged in via this technique using password >> '0123456789'. >> >> >> -Andy >> >> >> >> On 10/3/2018 6:02 PM, Eric Broch wrote: >>> Try the CLI commands I sent. There can be issues with the configuration >>> of squirrelmail and roundcube. >>> >>> IMAP: >>> >>> # openssl s_client -crlf -connect localhost:993 >>> >>> imap> tag login u...@domain.tld $userpassword >>> >>> >>> Submission: >>> >>> # cd /usr/local/bin >>> # wget http://www.jetmore.org/john/code/swaks/latest/swaks >>> # chown root.root swaks >>> # chmod +x swaks >>> >>> # swaks --to some...@remotedomain.tld --from u...@domain.tld --server >>> $yourqmthost --port 587 --ehlo test -tls --auth login --auth-user >>> u...@domain.tld --auth-password $userpassword >>> >>> >>> On 10/3/2018 7:45 PM, Andrew Swartz wrote: >>>> Eric, >>>> >>>> On Centos7 QMT: >>>> >>>> I just created a new user account and set the password to '0123456789'. >>>> Then I used your SQL command to set pw_clear_passwd to null. >>>> Then I viewed the table to confirm it was empty (it was). >>>> Then I tried to log in to Squirrelmail using password '0123456789': >>>> Login failed. >>>> Then I used your SQL command to reset pw_clear_passwd back to >>>> '0123456789'. >>>> Then I tried to log in to Squirrelmail using password '0123456789': >>>> success. >>>> >>>> This seems different from your experience. >>>> >>>> This sucks because it seems to mean no easy fix for this problem. >>>> >>>> >>>> -Andy >>>> >>>> >>>> >>>> >>>> On 10/3/2018 4:24 PM, Eric Broch wrote: >>>>> I've been contacted by someone who removed the clear text password >>>>> from >>>>> an account and had issued logging into Dovecot even after a >>>>> restart. The >>>>> fix of course is to reset the password with >>>>> /home/vpopmail/bin/vpasswd. >>>>> Does anyone else want to confirm/refute my findings that w/o the clear >>>>> text password Dovecot will work? >>>>> >>> -- >>> Eric Broch >>> White Horse Technical Consulting (WHTC) >>> >> >
smime.p7s
Description: S/MIME Cryptographic Signature
