View previous topic :: View next topic |
Author |
Message |
Frautoincnam Apprentice
Joined: 19 May 2017 Posts: 294
|
Posted: Fri May 21, 2021 5:30 pm Post subject: CRAM-MD5 login error |
|
|
Hello,
Suddenly, certainly following an update, the roundcube identification no longer works.
I checked, nothing has been modified in the configuration of rouncube, nor of dovecot.
On the other hand, I know that /etc/login.defs has recently changed, but I don't know if that affects.
Code: | # diff -u /tmp/bacula-restores/etc/login.defs /etc/login.defs
--- /tmp/bacula-restores/etc/login.defs 2020-11-06 11:41:20.000000000 -0400
+++ /etc/login.defs 2021-05-21 13:13:49.059515553 -0400
@@ -209,12 +209,17 @@
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
#
# Password aging controls:
#
@@ -348,7 +353,6 @@
# the PAM modules configuration.
#
#ENCRYPT_METHOD DES
-ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. |
But even with ENCRYPT_METHOD SHA512 it is the same.
Do I have to restart something to take into account the modifications ?
The error I got is related to CRAM-MD5.
roundcube error :
Code: | [21-May-2021 10:57:31 -0400]: <47hctpjq> IMAP Error: Login failed for chris against localhost from 192.168.5.3. AUTHENTICATE CRAM-MD5: A0002 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/localhost/htdocs/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /webmail/?_task=login&_action=login) |
roundcube imap log :
Code: | [21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] Connecting to localhost:143...
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRA
LS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=CRAM-MD5 AUTH=LOGIN] Dovecot ready.
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: A0001 ID ("name" "Roundcube" "version" "1.4.11"
"php" "7.4.19" "os" "Linux" "command" "/webmail/?_task=login")
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: * ID ("name" "Dovecot")
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: A0001 OK ID completed.
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: A0002 AUTHENTICATE CRAM-MD5
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: + PDM2MTA1ODI4NjcxMTY5NTkuMTYyMTYwOTA0OUB2bXNlcn
ZldXI+
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: ****** [50]
[21-May-2021 10:57:31 -0400]: <47hctpjq> [2B62] S: A0002 NO [AUTHENTICATIONFAILED] Authentication failed. |
dovecot corresponding error :
Code: | May 21 10:57:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<chris>, method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured, session=<XMJaR9jCvJF/AAAB> |
My dovecot conf if needed :
Code: | # dovecot -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.27-gentoo x86_64 Gentoo Base System release 2.7 ext4
# Hostname: vmserveur.novazur.fr
auth_mechanisms = plain cram-md5 login
auth_username_format = %n
auth_verbose_passwords = sha1:12
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info.log
listen = *
log_path = /var/log/dovecot.log
mail_location = maildir:/var/spool/mail/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = *
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
} |
If I modify roundcube config $config['imap_auth_type'] from null (default) to 'PLAIN'. It works.
But i'd like to know what changed, and why it doesn't work anymore without modifying default rouncube option.
I tried to use gnome-evolution with imap and CRAM-MD5 and it failed too. So that's NOT a roundcube problem. There is a issue somewhere else. PAM issue ?
[Edit]
possible that
Code: | service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
} |
where added recently to dovecot. Can this have a connection?
However with default config :
Code: | #unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#} |
It's not better. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri May 21, 2021 5:49 pm Post subject: |
|
|
Hi can you plz post the output of
Code: |
grep -ir cram /etc/dovecot
|
Where do you store the passwords?
My guess is that dispatch-conf overwrote your modified config
Either
Code: |
/etc/dovecot/conf.d/10-auth.conf ####OR
/etc/dovecot/conf.d/auth-passwdfile.conf.ext
|
Lets see.... _________________
Last edited by alamahant on Fri May 21, 2021 5:55 pm; edited 1 time in total |
|
Back to top |
|
|
Frautoincnam Apprentice
Joined: 19 May 2017 Posts: 294
|
Posted: Fri May 21, 2021 5:55 pm Post subject: |
|
|
alamahant wrote: | Hi can you plz post the output of
Code: |
grep -ir cram /etc/dovecot
|
|
Code: | # grep -ir cram /etc/dovecot
/etc/dovecot/conf.d/10-auth.conf:# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
/etc/dovecot/conf.d/10-auth.conf:auth_mechanisms = plain cram-md5 login |
Quote: | My guess is that dispatch-conf overwrote your modified config |
I don't think so, but i could be wrong
Quote: | Either
Code: |
/etc/dovecot/conf.d/10-auth.conf ####OR
/etc/dovecot/conf.d/auth-passwdfile.conf.ext
|
Lets see.... |
If you want, but I already gave my dovecot conf
Code: | 10-auth.conf
disable_plaintext_auth = no
auth_username_format = %n
auth_mechanisms = plain cram-md5 login
!include auth-system.conf.ext
!include auth-sql.conf.ext
!include auth-ldap.conf.ext |
Code: | auth-passwdfile.conf.ext
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
} |
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri May 21, 2021 5:57 pm Post subject: |
|
|
Quote: |
etc/dovecot/conf.d/10-auth.conf:# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
/etc/dovecot/conf.d/10-auth.conf:auth_mechanisms = plain cram-md5 login
|
Please put cram-md5 in the BEGINNING of the lists...
Also in dovecot.conf
Where do you store the passwords? _________________
|
|
Back to top |
|
|
Frautoincnam Apprentice
Joined: 19 May 2017 Posts: 294
|
Posted: Fri May 21, 2021 6:04 pm Post subject: |
|
|
As indicated in my dovecot conf (original post), files and ldap
Code: | # grep "^passwd" /etc/nsswitch.conf
passwd: files ldap |
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri May 21, 2021 6:12 pm Post subject: |
|
|
ldap does not understand cram-md5 easilly
best use a user file for dovecot
If needed regenerate passwords with
doveadm pw -s cram-md5 _________________
|
|
Back to top |
|
|
Frautoincnam Apprentice
Joined: 19 May 2017 Posts: 294
|
Posted: Fri May 21, 2021 6:21 pm Post subject: |
|
|
But I WANT/NEED to use ldap. I don't want to replace it with a simple file.
It works like that for 20 years !
I admit that I have to not use CRAM-MD5 with LDAP.
But, what I'd like to understand is :
what changed recently to not working anymore without changing anything in my dovecot conf ?
sys-apps/shadow-4.8.1-r3 update on Sun May 16 ? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri May 21, 2021 7:02 pm Post subject: |
|
|
Somewhere you have to store the cram-md5 passwords for email accounts
Do the email accounts belong to linux users, ldap users or they are external?
This is what i am asking you.
In my case i have a file with this format
Code: |
user@domain:{CRAM-MD5}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
Dovecot needs this.
Also please insert cram-md5 first in the auth mechanisms list _________________
|
|
Back to top |
|
|
Frautoincnam Apprentice
Joined: 19 May 2017 Posts: 294
|
Posted: Fri May 21, 2021 7:11 pm Post subject: |
|
|
alamahant wrote: | Somewhere you have to store the cram-md5 passwords for email accounts
This is what i am asking you. |
But I don't want identifers twice.
I WANT to use LDAP.
I prefer to use roundcube option 'PLAIN' than not to use LDAP.
Quote: | Also please insert cram-md5 first in the auth mechanisms list |
Tried unsuccessful
But all this doesn't answer my questions.
It does not matter. Drop it.
thank you for your help |
|
Back to top |
|
|
|