Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Liu Yubao]

On Tue, Jan 10, 2012 at 2:59 AM, Timo Sirainen  wrote:
> On 7.1.2012, at 5.36, Yubao Liu wrote:
>
>> In old version,  "auth->passdbs" contains all passdbs, this revision
>> changes "auth->passdbs" to only contain non-master passdbs.
>>
>> I'm not sure which fix is better or even my proposal is correct or fully:
>>  a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
>>      auth->passdbs too,  and remove duplicate code for masterdbs
>>      in auth_init() and auth_deinit().
>
> Not a good idea. The master passdb needs to be treated specially, otherwise 
> you might accidentally allow regular users logging in as other users.
>

Sorry I don't understand well.  This scheme adds all master dbs to
auth->passdbs,  auth->masterdbs
are not changed and still contains only master users. I guess dovecot
lookups auth->masterdbs for master users
and auth->passdbs for regular users,  regular users don't know master
users' passwords so they can't login
as other users.

http://wiki2.dovecot.org/Authentication/MasterUsers
The "Example configuration" already shows master user account can be
added to auth->passdbs too.

This scheme does bring unexpected issue, the master users can't have
separate passwords for regular login
as themselves(because masterdbs are also added to passdbs), the risk
of password leak increases much,
but I don't think it's a good practice to do regular login with master
user account.

Quoted from same wiki page(I really enjoy the wonderful Dovecot wiki,
it's the most well organized
and documented wiki in open source projects, thank you very much!):
 "If you want master users to be able to log in as themselves,
you'll need to either add
  the user to the normal passdb or add the passdb to dovecot.conf
twice, with and
  without master=yes. Note that if the passdbs point to different
locations, the user
  can have a different password when logging in as other users
than when logging in
  as himself. This is a good idea since it can avoid accidentally
logging in as someone else. "

Anyway,  the scheme B is much less risky and much simple, just a
little annoying code duplication:-)

>>  b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(),
>>      auth_passdb_list_have_lookup_credentials(), 
>> auth_passdb_list_have_set_credentials().
>
> Kind of annoying code duplication, but .. I guess it can't really be helped. 
> Added:
> http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
>

Thank you very much,  I don't have to maintain my private package:-)

>> Another related question is "pass" option in master passdb, if I set it to 
>> "yes",
>> the authentication fails:
> ..
>> My normal passdb is a PAM passdb,  it doesn't support credential lookups, 
>> that's
>> reasonable,
>
> Right.
>
>> but I feel the comment for "pass" option is confusing:
>>
>>  # Unless you're using PAM, you probably still want the destination user to
>>  # be looked up from passdb that it really exists. pass=yes does that.
>>  pass = yes
>> }
>>
>> According the comment, it's to check whether the real user exists, why not
>> to check userdb but another passdb?
>
> Well.. It is going to check userdb eventually anyway, so it would still fail, 
> just a bit later and maybe with different error message.

If Dovecot doesn't check password for the real user against passdb
(actually it doesn't
have the password of real user because it's doing master user proxy
authorization),  it
won't fail on userdb lookup because the userdb does contain the real
user,  in my case,
the real user is system user and absolutely exists.

>
>> Even it must check against passdb,
>> in this case, it's obvious not necessary to lookup credentials, it's enough 
>> to
>> to lookup user name only.
>
> There's currently no passdb that supports "does user exist?" lookup, but 
> doesn't support credentials lookup, so this is more of a theoretical issue. 
> (I guess maybe PAM could be abused in some configurations to do the check, 
> but that's rather ugly..)

I don't understand why master user proxy authorization in Dovecot has
to check real user against
his credential, does that mean "user*master" has to authenticate
twice? one for master, one for user,
but often client can't provide two passwords in single login and the
regular passdb such as
PAM passdb doesn't support credentials lookup.  So I feel it's better
Dovecot checks only destination
user names in passdbs or userdbs after master user authentication part
succeeds to decide
whether the destination user exists,  just as the comment for
"pass=yes" describes.

This may not be a bug, IMHO just a confusing feature.

Regards,
Yubao Liu

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Timo Sirainen]

On 7.1.2012, at 5.36, Yubao Liu wrote:

> In old version,  "auth->passdbs" contains all passdbs, this revision
> changes "auth->passdbs" to only contain non-master passdbs.
> 
> I'm not sure which fix is better or even my proposal is correct or fully:
>  a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
>  auth->passdbs too,  and remove duplicate code for masterdbs
>  in auth_init() and auth_deinit().

Not a good idea. The master passdb needs to be treated specially, otherwise you 
might accidentally allow regular users logging in as other users.

>  b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(),
>  auth_passdb_list_have_lookup_credentials(), 
> auth_passdb_list_have_set_credentials().

Kind of annoying code duplication, but .. I guess it can't really be helped. 
Added:
http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4

> Another related question is "pass" option in master passdb, if I set it to 
> "yes",
> the authentication fails:
..
> My normal passdb is a PAM passdb,  it doesn't support credential lookups, 
> that's
> reasonable,

Right.

> but I feel the comment for "pass" option is confusing:
> 
>  # Unless you're using PAM, you probably still want the destination user to
>  # be looked up from passdb that it really exists. pass=yes does that.
>  pass = yes
> }
> 
> According the comment, it's to check whether the real user exists, why not
> to check userdb but another passdb?

Well.. It is going to check userdb eventually anyway, so it would still fail, 
just a bit later and maybe with different error message.

> Even it must check against passdb,
> in this case, it's obvious not necessary to lookup credentials, it's enough to
> to lookup user name only.

There's currently no passdb that supports "does user exist?" lookup, but 
doesn't support credentials lookup, so this is more of a theoretical issue. (I 
guess maybe PAM could be abused in some configurations to do the check, but 
that's rather ugly..)

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

Hi Timo,

Did you review the patches in previous email? I tested two patches against
my configuration(pasted in this thread too), they both work well.  I prefer
the first patch, but I'm not sure whether it breaks something else.

Regards,
Yubao Liu

On 01/07/2012 11:36 AM, Yubao Liu wrote:

On 01/07/2012 01:51 AM, Timo Sirainen wrote:

On 6.1.2012, at 19.45, Yubao Liu wrote:

On 01/07/2012 12:44 AM, Timo Sirainen wrote:

On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:

I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and 
dovecot's

imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..

Is there any special reason that master passdb isn't taken into
account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
I feel master passdb is also a kind of passdb.

I guess it could be changed. It wasn't done intentionally that way.


I guess this change broke old way:
http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac

In old version,  "auth->passdbs" contains all passdbs, this revision
changes "auth->passdbs" to only contain non-master passdbs.

I'm not sure which fix is better or even my proposal is correct or fully:
  a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
  auth->passdbs too,  and remove duplicate code for masterdbs
  in auth_init() and auth_deinit().

  b) add similar code for masterdbs in 
auth_passdb_list_have_verify_plain(),
  auth_passdb_list_have_lookup_credentials(), 
auth_passdb_list_have_set_credentials().

This is exactly my use case, I use Kerberos for system users,
I'm curious why master passdb isn't used to check 
"have_lookup_credentials" ability

http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication 
mechanism.

I hope this limitation can be relaxed.
It might already be .. I don't remember. In any case you have only 
PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb.
If the fix above is added, then I can use CRAM-MD5 with master 
passwd-file passdb
and normal pam passdb, else imap-login process can't startup due to 
check in

auth_mech_list_verify_passdb().

Attached two patches against dovecot-2.0 branch for the two schemes,
the first is cleaner but may affect other logics in other source files.


Another related question is "pass" option in master passdb, if I set 
it to "yes",

the authentication fails:
Jan  7 11:26:00 gold dovecot: auth: Debug: client in: 
AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771
Jan  7 11:26:00 gold dovecot: auth: Debug: client out: 
CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg==
Jan  7 11:26:00 gold dovecot: auth: Debug: client in: 
CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc=
Jan  7 11:26:00 gold dovecot: auth: Debug: 
auth(webmail,127.0.0.1,master): Master user lookup for login: dieken
Jan  7 11:26:00 gold dovecot: auth: Debug: 
passwd-file(webmail,127.0.0.1,master): lookup: user=webmail 
file=/etc/dovecot/master-users
Jan  7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master): 
Master user logging in as dieken
Jan  7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1): 
No passdbs support skipping password verification - pass=yes can't be 
used in master passdb
Jan  7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1): 
passdb doesn't support credential lookups


My normal passdb is a PAM passdb,  it doesn't support credential 
lookups, that's

reasonable, but I feel the comment for "pass" option is confusing:

$ less /etc/dovecot/conf.d/auth-master.conf.ext

# Example master user passdb using passwd-file. You can use any passdb 
though.

passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users

  # Unless you're using PAM, you probably still want the destination 
user to

  # be looked up from passdb that it really exists. pass=yes does that.
  pass = yes
}

According the comment, it's to check whether the real user exists, why 
not

to check userdb but another passdb? Even it must check against passdb,
in this case, it's obvious not necessary to lookup credentials, it's 
enough to

to lookup user name only.

Regards,
Yubao Liu

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

On 01/07/2012 01:51 AM, Timo Sirainen wrote:

On 6.1.2012, at 19.45, Yubao Liu wrote:

On 01/07/2012 12:44 AM, Timo Sirainen wrote:

On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:

I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..

Is there any special reason that master passdb isn't taken into
account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
I feel master passdb is also a kind of passdb.

I guess it could be changed. It wasn't done intentionally that way.


I guess this change broke old way:
http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac

In old version,  "auth->passdbs" contains all passdbs, this revision
changes "auth->passdbs" to only contain non-master passdbs.

I'm not sure which fix is better or even my proposal is correct or fully:
  a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
  auth->passdbs too,  and remove duplicate code for masterdbs
  in auth_init() and auth_deinit().

  b) add similar code for masterdbs in 
auth_passdb_list_have_verify_plain(),
  auth_passdb_list_have_lookup_credentials(), 
auth_passdb_list_have_set_credentials().

This is exactly my use case, I use Kerberos for system users,
I'm curious why master passdb isn't used to check "have_lookup_credentials" 
ability
http://wiki2.dovecot.org/Authentication/MultipleDatabases

Currently the fallback works only with the PLAIN authentication mechanism.

I hope this limitation can be relaxed.

It might already be .. I don't remember. In any case you have only PAM passdb, 
so it shouldn't matter. GSSAPI isn't a passdb.
If the fix above is added, then I can use CRAM-MD5 with master 
passwd-file passdb

and normal pam passdb, else imap-login process can't startup due to check in
auth_mech_list_verify_passdb().

Attached two patches against dovecot-2.0 branch for the two schemes,
the first is cleaner but may affect other logics in other source files.


Another related question is "pass" option in master passdb, if I set it 
to "yes",

the authentication fails:
Jan  7 11:26:00 gold dovecot: auth: Debug: client in: 
AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771
Jan  7 11:26:00 gold dovecot: auth: Debug: client out: 
CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg==
Jan  7 11:26:00 gold dovecot: auth: Debug: client in: 
CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc=
Jan  7 11:26:00 gold dovecot: auth: Debug: 
auth(webmail,127.0.0.1,master): Master user lookup for login: dieken
Jan  7 11:26:00 gold dovecot: auth: Debug: 
passwd-file(webmail,127.0.0.1,master): lookup: user=webmail 
file=/etc/dovecot/master-users
Jan  7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master): 
Master user logging in as dieken
Jan  7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1): No 
passdbs support skipping password verification - pass=yes can't be used 
in master passdb
Jan  7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1): 
passdb doesn't support credential lookups


My normal passdb is a PAM passdb,  it doesn't support credential 
lookups, that's

reasonable, but I feel the comment for "pass" option is confusing:

$ less /etc/dovecot/conf.d/auth-master.conf.ext

# Example master user passdb using passwd-file. You can use any passdb 
though.

passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users

  # Unless you're using PAM, you probably still want the destination 
user to

  # be looked up from passdb that it really exists. pass=yes does that.
  pass = yes
}

According the comment, it's to check whether the real user exists, why not
to check userdb but another passdb? Even it must check against passdb,
in this case, it's obvious not necessary to lookup credentials, it's 
enough to

to lookup user name only.

Regards,
Yubao Liu

diff -r 38972af8bd29 src/auth/auth.c
--- a/src/auth/auth.c	Fri Jan 06 16:04:20 2012 +0200
+++ b/src/auth/auth.c	Sat Jan 07 10:24:12 2012 +0800
@@ -69,12 +69,10 @@
 		db_count = 0;
 	}
 
-	/* initialize passdbs first and count them */
 	for (passdb_count = 0, i = 0; i < db_count; i++) {
 		if (passdbs[i]->master)
 			continue;
 
-		auth_passdb_preinit(auth, passdbs[i], &auth->passdbs);
 		passdb_count++;
 		last_passdb = i;
 	}
@@ -82,6 +80,8 @@
 		i_fatal("Last passdb can't have pass=yes");
 
 	for (i = 0; i < db_count; i++) {
+		auth_passdb_preinit(auth, passdbs[i], &auth->passdbs);
+
 		if (!passdbs[i]->master)
 			continue;
 
@@ -190,8 +190,6 @@
 	struct auth_passdb *passdb;
 	struct auth_userdb *userdb;
 
-	for (

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Timo Sirainen]

On 6.1.2012, at 19.45, Yubao Liu wrote:

> On 01/07/2012 12:44 AM, Timo Sirainen wrote:
>> On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
>> 
>>> I don't know why this function doesn't check auth->masterdbs, if I
>>> insert these lines after line 128, that error goes away, and dovecot's
>>> imap-login process happily does DIGEST-MD5 authentication [1].
>>> In my configuration, "masterdbs" contains "passdb passwd-file",
>>> "passdbs" contains " passdb pam".
>> So .. you want DIGEST-MD5 authentication for the master users, but not
>> for anyone else? I hadn't really thought anyone would want that..
>> 
> Is there any special reason that master passdb isn't taken into
> account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
> I feel master passdb is also a kind of passdb.

I guess it could be changed. It wasn't done intentionally that way.

> This is exactly my use case, I use Kerberos for system users,
> I'm curious why master passdb isn't used to check "have_lookup_credentials" 
> ability

> http://wiki2.dovecot.org/Authentication/MultipleDatabases
> > Currently the fallback works only with the PLAIN authentication mechanism.
> 
> I hope this limitation can be relaxed.

It might already be .. I don't remember. In any case you have only PAM passdb, 
so it shouldn't matter. GSSAPI isn't a passdb.

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

On 01/07/2012 12:44 AM, Timo Sirainen wrote:

On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:


I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..


Is there any special reason that master passdb isn't taken into
account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
I feel master passdb is also a kind of passdb.

http://wiki2.dovecot.org/PasswordDatabase

> You can use multiple databases, so if the password doesn't match
> in the first database, Dovecot checks the next one. This can be useful
> if you want to easily support having both virtual users and also local
> system users (see Authentication/MultipleDatabases 
).


This is exactly my use case, I use Kerberos for system users,
I'm curious why master passdb isn't used to check 
"have_lookup_credentials" ability.


http://wiki2.dovecot.org/Authentication/MultipleDatabases
> Currently the fallback works only with the PLAIN authentication 
mechanism.


I hope this limitation can be relaxed.

Regards,
Yubao Liu

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

On 01/07/2012 12:44 AM, Timo Sirainen wrote:

On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:


I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..


I hope users use GSSAPI authentication from native MUA, but RoundCube
webmail doesn't support that, so that I have to use DIGEST-MD5/CRAM-MD5/
PLAIN/LOGIN for authentication between RoundCube and Dovecot, and
let RoundCube login as master user for normal user.

I really don't like to transfer password as plain text, so I prefer 
DIGEST-MD5

and CRAM-MD5 for both auth mechanisms and password schemes. My
last email is partially wrong,  DIGEST-MD5 can't be used for master users
because 'real_user*master_user' is used to calculate digest in IMAP client,
this can't be consistent with digest in passdb because only 'master_user'
is used to calculate digest.

But CRAM-MD5 doesn't use user name to calculate digest,  I just tried it 
successfully

with my rude patch to src/auth/auth.c in my previous email:-)

# doveadm pw -s CRAM-MD5 -u webmail
(use 123456 as passwd)
# cat > /etc/dovecot/master-users
webmail:{CRAM-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada8035dc7d8bae41b
^D

$ gsasl --imap imap.corp.example.com --verbose -m CRAM-MD5 -a 
'dieken*webm...@corp.example.com' -p 123456

Trying `gold.corp.example.com'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5] 
Dovecot ready.

. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5

. OK Pre-login capabilities listed, post-login capabilities have more.
. STARTTLS
. OK Begin TLS negotiation now.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5

. OK Pre-login capabilities listed, post-login capabilities have more.
. AUTHENTICATE CRAM-MD5
+ PDM1OTIzODgxNjgyNzUxMjUuMTMyNTg3MDQwMkBnb2xkPg==
ZGlla2VuKndlYm1haWxAY29ycC5leGFtcGxlLmNvbSBkYjRlZWJlMTUwZGZjZjg5NTVkODZhNDBlMGJiZmQzNA==
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT 
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC 
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS

Client authentication finished (server trusted)...
Enter application data (EOF to finish):

It's also OK to use "-a 'dieken*webmail'" instead of "-a 
'dieken*webm...@corp.example.com'.


# doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5 cram-md5
auth_realms = corp.example.com
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
first_valid_gid = 1000
first_valid_uid = 1000
mail_debug = yes
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  driver = pam
}
plugin {
  sieve = /srv/mail/%u/.dovecot.sieve
  sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
  unix_listener auth-client {
group = Debian-exim
mode = 0660
  }
}
ssl_cert = 

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Timo Sirainen]

On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:

> I don't know why this function doesn't check auth->masterdbs, if I
> insert these lines after line 128, that error goes away, and dovecot's
> imap-login process happily does DIGEST-MD5 authentication [1].
> In my configuration, "masterdbs" contains "passdb passwd-file",
> "passdbs" contains " passdb pam".

So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

On 01/06/2012 06:52 PM, Nick Rosier wrote:

Yubao Liu wrote:

Hi all,

I have no idea about that message, here is my configuration, what's wrong?

You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
problem.


Thanks, that does be the cause.

http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c
   121 static bool auth_passdb_list_have_lookup_credentials(struct auth 
*auth)

   122 {
   123 struct auth_passdb *passdb;
   124
   125 for (passdb = auth->passdbs; passdb != NULL; passdb = 
passdb->next) {

   126 if (passdb->passdb->iface.lookup_credentials != NULL)
   127 return TRUE;
   128 }
   129 return FALSE;
   130 }

I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) {
if (passdb->passdb->iface.lookup_credentials != NULL)
   return TRUE;
}


[1] But the authentication for "user*master" always fails, I realized 
master users

can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms
because these authentication mechanisms use "user*master" as username
in hash algorithm, not just "master".

Regards,
Yubao Liu


Debian testing, Dovecot 2.0.15

$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
   args = /etc/dovecot/master-users
   driver = passwd-file
   master = yes
   pass = yes
}
passdb {
   driver = pam
}
plugin {
   sieve = /srv/mail/%u/.dovecot.sieve
   sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
   unix_listener auth-client {
 group = Debian-exim
 mode = 0660
   }
}
ssl_cert =
Rgds,
N.

Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Nick Rosier]

Yubao Liu wrote:
> Hi all,
> 
> I have no idea about that message, here is my configuration, what's wrong?

You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
problem.

> Debian testing, Dovecot 2.0.15
> 
> $ doveconf -n
> # 2.0.15: /etc/dovecot/dovecot.conf
> # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
> auth_default_realm = corp.example.com
> auth_krb5_keytab = /etc/dovecot.keytab
> auth_master_user_separator = *
> auth_mechanisms = gssapi digest-md5
> auth_realms = corp.example.com
> auth_username_format = %n
> first_valid_gid = 1000
> first_valid_uid = 1000
> mail_location = mdbox:/srv/mail/%u/Mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date ihave
> passdb {
>   args = /etc/dovecot/master-users
>   driver = passwd-file
>   master = yes
>   pass = yes
> }
> passdb {
>   driver = pam
> }
> plugin {
>   sieve = /srv/mail/%u/.dovecot.sieve
>   sieve_dir = /srv/mail/%u/sieve
> }
> protocols = " imap lmtp sieve"
> service auth {
>   unix_listener auth-client {
> group = Debian-exim
> mode = 0660
>   }
> }
> ssl_cert =  ssl_key =  userdb {
>   args = home=/srv/mail/%u
>   driver = passwd
> }
> protocol lmtp {
>   mail_plugins = " sieve"
> }
> protocol lda {
>   mail_plugins = " sieve"
> }
> 
> # cat /etc/dovecot/master-users
> x...@corp.example.com:
> 
> The z is obtained by "doveadm pw -s digest-md5 -u
> x...@corp.example.com",
> I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add
> "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both
> don't help.
> 
> The error message:
> dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
> dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
> passdbs
> gold dovecot: master: Error: service(auth): command startup failed,
> throttling
> 
> I opened debug auth log,  it showed dovecot read /etc/dovecot/master-users
> and parsed one line, then the error occurred.  Doesn't passwd-file
> passdb support
> digest-md5 password scheme?  If it doesn't support, how do I configure
> digest-md5 auth
> mechanism with digest-md5 password scheme for virtual users?
> 
> Regards,
> Yubao Liu
> 

Rgds,
N.

[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

[Yubao Liu]

Hi all,

I have no idea about that message, here is my configuration, what's wrong?

Debian testing, Dovecot 2.0.15

$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  driver = pam
}
plugin {
  sieve = /srv/mail/%u/.dovecot.sieve
  sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
  unix_listener auth-client {
group = Debian-exim
mode = 0660
  }
}
ssl_cert = "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both 
don't help.


The error message:
dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given 
passdbs
gold dovecot: master: Error: service(auth): command startup failed, 
throttling


I opened debug auth log,  it showed dovecot read /etc/dovecot/master-users
and parsed one line, then the error occurred.  Doesn't passwd-file 
passdb support
digest-md5 password scheme?  If it doesn't support, how do I configure 
digest-md5 auth

mechanism with digest-md5 password scheme for virtual users?

Regards,
Yubao Liu