Need help in understanding auth digest-md5 and realm

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help in understanding auth digest-md5 and realm

Admin Beckspaced
Hello dovecot community,

I've setup dovecot and need a bit help in understanding the auth
mechanism digest-md5 and realm

in 10-auth.conf I got

auth_mechanisms = plain login digest-md5 cram-md5 apop
#auth_realms =
#auth_default_realm =

So i got empty realms.

Auth normally works fine and clients can auth with mechanism digest-md5
and I see the following log entries:

dovecot: auth: Debug:
sql([hidden email],46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating
DIGEST-MD5 from user '[hidden email]', password 'xxxx'
dovecot: auth: Debug:
sql([hidden email],87.168.26.5,<ISVLQXFcT/xXqBoF>):
Generating DIGEST-MD5 from user '[hidden email]@', password
'xxxxxxxxxx'
dovecot: auth: Debug:
sql([hidden email],81.209.203.170,<tzxyT3FcT9RR0cuq>):
Generating DIGEST-MD5 from user '[hidden email]', password
'xxxxxxxxxxx'

But sometimes clients get a password mismatch and I the see the
following log entries:

dovecot: auth: Debug:
sql([hidden email],80.187.103.15,<adzhAnVclmxQu2cP>): Generating
DIGEST-MD5 from user '[hidden email]@mail.beckspaced.com', password 'xxxx'
dovecot: auth: Debug:
sql([hidden email],87.218.86.165,<LWItYHVc6r1X2lal>): Generating
DIGEST-MD5 from user '[hidden email]@mail.beckspaced.com', password
'xxxxxxxxxx'
dovecot: auth: Debug:
sql([hidden email],110.164.127.146,<aGhcvHBcStJupH+S>):
Generating DIGEST-MD5 from user
'[hidden email]@imap.beckspaced.com', password 'xxxxxxxxxx'

when there's a password mismatch I see a different user string for
generating the digest-md5 hash.
i suppose users use a different mail client and the mail client does
things differently?

How can I fix this password mismatch thing?

Do i just need to set an auth_realms of some random string in the
10-auth.conifig
Or does the auth_realms need to be a host name? Domain name of some sort?

For the moment I just removed the digest-md5 mechanism ...
Or could I just simply not offer that mechanism?

If someone could shed some light on this I would be more than grateful ;)

Thanks & greetings
Becki
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Aki Tuomi-2

> On October 27, 2017 at 6:00 PM Admin Beckspaced <[hidden email]> wrote:
>
>
> Hello dovecot community,
>
> I've setup dovecot and need a bit help in understanding the auth
> mechanism digest-md5 and realm
>
> in 10-auth.conf I got
>
> auth_mechanisms = plain login digest-md5 cram-md5 apop
> #auth_realms =
> #auth_default_realm =
>
> So i got empty realms.
>
> Auth normally works fine and clients can auth with mechanism digest-md5
> and I see the following log entries:
>
> dovecot: auth: Debug:
> sql([hidden email],46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating
> DIGEST-MD5 from user '[hidden email]', password 'xxxx'
> dovecot: auth: Debug:
> sql([hidden email],87.168.26.5,<ISVLQXFcT/xXqBoF>):
> Generating DIGEST-MD5 from user '[hidden email]@', password
> 'xxxxxxxxxx'
> dovecot: auth: Debug:
> sql([hidden email],81.209.203.170,<tzxyT3FcT9RR0cuq>):
> Generating DIGEST-MD5 from user '[hidden email]', password
> 'xxxxxxxxxxx'
>
> But sometimes clients get a password mismatch and I the see the
> following log entries:
>
> dovecot: auth: Debug:
> sql([hidden email],80.187.103.15,<adzhAnVclmxQu2cP>): Generating
> DIGEST-MD5 from user '[hidden email]@mail.beckspaced.com', password 'xxxx'
> dovecot: auth: Debug:
> sql([hidden email],87.218.86.165,<LWItYHVc6r1X2lal>): Generating
> DIGEST-MD5 from user '[hidden email]@mail.beckspaced.com', password
> 'xxxxxxxxxx'
> dovecot: auth: Debug:
> sql([hidden email],110.164.127.146,<aGhcvHBcStJupH+S>):
> Generating DIGEST-MD5 from user
> '[hidden email]@imap.beckspaced.com', password 'xxxxxxxxxx'
>
> when there's a password mismatch I see a different user string for
> generating the digest-md5 hash.
> i suppose users use a different mail client and the mail client does
> things differently?
>
> How can I fix this password mismatch thing?
>
> Do i just need to set an auth_realms of some random string in the
> 10-auth.conifig
> Or does the auth_realms need to be a host name? Domain name of some sort?
>
> For the moment I just removed the digest-md5 mechanism ...
> Or could I just simply not offer that mechanism?
>
> If someone could shed some light on this I would be more than grateful ;)
>
> Thanks & greetings
> Becki

We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Admin Beckspaced


On 27.10.2017 20:35, Aki Tuomi wrote:

>> On October 27, 2017 at 6:00 PM Admin Beckspaced <[hidden email]> wrote:
>>
>>
>> Hello dovecot community,
>> ...
>>
>> If someone could shed some light on this I would be more than grateful ;)
>>
>> Thanks & greetings
>> Becki
> We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.
>
> Aki
>
>
Hello Aki,
thanks for your reply ... so if there's a bug which Google won't fix
it's perhaps best to not offer digest-md5?
what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with
SSL?

Thanks & Greetings
Becki
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Jerry-146
In reply to this post by Aki Tuomi-2
On Fri, 27 Oct 2017 21:35:16 +0300 (EEST), Aki Tuomi stated:

>We actually discovered that Android has a bug with DIGEST-MD5, which Google
>refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with
>SSL anyways

Could you actually describe what that bug is? I actually know someone at
Google and they might be able to get it investigated and perhaps corrected.
The more info you could supply, the better.

Thanks :)

--
Jerry
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Aki Tuomi-2

> On October 28, 2017 at 11:37 AM Jerry <[hidden email]> wrote:
>
>
> On Fri, 27 Oct 2017 21:35:16 +0300 (EEST), Aki Tuomi stated:
>
> >We actually discovered that Android has a bug with DIGEST-MD5, which Google
> >refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with
> >SSL anyways
>
> Could you actually describe what that bug is? I actually know someone at
> Google and they might be able to get it investigated and perhaps corrected.
> The more info you could supply, the better.
>
> Thanks :)
>
> --
> Jerry

The issue is https://issuetracker.google.com/issues/36996387, and exactly what happens is bit unknown. From our point of view, Android sends all other values correctly except final hash when using digest-md5.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Alex JOST
In reply to this post by Admin Beckspaced
Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:

>
>
> On 27.10.2017 20:35, Aki Tuomi wrote:
>>> On October 27, 2017 at 6:00 PM Admin Beckspaced
>>> <[hidden email]> wrote:
>>>
>>>
>>> Hello dovecot community,
>>> ...
>>>
>>> If someone could shed some light on this I would be more than
>>> grateful ;)
>>>
>>> Thanks & greetings
>>> Becki
>> We actually discovered that Android has a bug with DIGEST-MD5, which
>> Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really
>> good idea with SSL anyways.
>>
>> Aki
>>
>>
> Hello Aki,
> thanks for your reply ... so if there's a bug which Google won't fix
> it's perhaps best to not offer digest-md5?
> what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with
> SSL?

Those methods encrypt the password itself which was a good thing back in
the days when most connections were unencrypted. The disadvantage is
that they require the password to be saved in cleartext.

If you can enforce an encrypted connection it is better to use
PLAIN/LOGIN and save the passwords as hashes (preferably with salts).

--
Alex JOST
Reply | Threaded
Open this post in threaded view
|

Re: Need help in understanding auth digest-md5 and realm

Admin Beckspaced

On 28.10.2017 12:24, Alex JOST wrote:

> Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:
>>
>>
>> On 27.10.2017 20:35, Aki Tuomi wrote:
>>>> On October 27, 2017 at 6:00 PM Admin Beckspaced
>>>> <[hidden email]> wrote:
>>>>
>>>>
>>>> Hello dovecot community,
>>>> ...
>>>>
>>>> If someone could shed some light on this I would be more than
>>>> grateful ;)
>>>>
>>>> Thanks & greetings
>>>> Becki
>>> We actually discovered that Android has a bug with DIGEST-MD5, which
>>> Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really
>>> good idea with SSL anyways.
>>>
>>> Aki
>>>
>>>
>> Hello Aki,
>> thanks for your reply ... so if there's a bug which Google won't fix
>> it's perhaps best to not offer digest-md5?
>> what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5
>> with SSL?
>
> Those methods encrypt the password itself which was a good thing back
> in the days when most connections were unencrypted. The disadvantage
> is that they require the password to be saved in cleartext.
>
> If you can enforce an encrypted connection it is better to use
> PLAIN/LOGIN and save the passwords as hashes (preferably with salts).
>
Thanks for your explanation ;)