HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)

- - Courier and encrypted passwords (http://www.howtoforge.com/forums/showthread.php?t=53596)

Courier and encrypted passwords

My mail server is built largely using "how to" information here, and it is providing POP3 mail serving via Courier. User data is in MySQL and I'm using ViMbAdmin to manage the MySQL data. This works fine for plain text passwords.

But if I change the passwords to being encrypted (ViMbAdmin uses MD5) then the password is rejected. With diagnostics turned up, there is a message in the log, which simply quotes the plain text password submitted by the mail client, and says it does not match the encrypted password (which it quotes) extracted from the database.

The Courier configuration file giving the MySQL information is being modified to contain a reference to encrypted passwords at the same time as the field in the database was changed to encrypted.

Is the wrong encryption being used? Or does Courier need some further configuration?

Can you post your /etc/postfix/main.cf and your Courier configuration?

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version





# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname



smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no



# appending .domain is the MUA's job.

append_dot_mydomain = no



# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h



readme_directory = no



# TLS parameters

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_use_tls = yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_loglevel = 2



# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.



myhostname = mail.webhosting-ace.net

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = localhost.webhosting-ace.net, localhost

relayhost = 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

maildrop_destination_recipient_limit = 1

virtual_mailbox_base = /var/vmail

virtual_uid_maps = static:1003

virtual_gid_maps = static:1003

virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailboxes.cf

virtual_alias_maps = mysql:/etc/postfix/virtual_forwardings.cf

mailbox_command = 

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

smtpd_sasl_local_domain = 

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

home_mailbox = Maildir/

Wasn't sure which file you meant by "Courier config". The pop3d.cnf file is:

Code:

RANDFILE = /usr/lib/courier/pop3d.rand



[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no



[ req_dn ]

C=US

ST=NY

L=New York

O=Courier Mail Server

OU=Automatically-generated POP3 SSL key

CN=webhosting-ace.net

emailAddress=postmaster@example.com





[ cert_type ]

nsCertType = server

And the authmysqlrc file is:

Code:

MYSQL_SERVER           127.0.0.1

MYSQL_USERNAME         vimbadmin

MYSQL_PASSWORD         ??????????

MYSQL_SOCKET           /var/run/mysqld/mysqld.sock

MYSQL_OPT              0

MYSQL_DATABASE         vimbadmin

MYSQL_USER_TABLE       mailbox

MYSQL_CLEAR_PWFIELD    password

# if you use cleartext passwords - or -

# MYSQL_CRYPT_PWFIELD  password   

# if you use encrypted passwords

MYSQL_UID_FIELD        '1003'

MYSQL_GID_FIELD        '1003'

MYSQL_LOGIN_FIELD      username

MYSQL_HOME_FIELD       '/var/vmail/' as home

MYSQL_NAME_FIELD       name

MYSQL_MAILDIR_FIELD    maildir

MYSQL_QUOTA_FIELD      concat(quota,'S')

MYSQL_WHERE_CLAUSE     active=1

Try to comment out the:

MYSQL_CLEAR_PWFIELD password

line and remove the # in front of the line:

MYSQL_CRYPT_PWFIELD password

then restart courier authdaemon.

Thanks for your suggestion.

I understand that is required to use encrypted passwords. But that is exactly what I did do, at the same time as changing the database table to make the passwords encrypted.

The result was that connection attempts were refused, with the mail log showing an error message quoting the plain text password submitted through the mail client, and showing the encrypted password from the database, along with text telling me that they did not match.

So what I'm trying to find out is whether Courier is expecting the same encryption as used by ViMbAdmin (i.e. MD5) or whether there is a need to specify the encryption used to Courier, or what.

The default encryption on Linux system is "crypt" and as far as I know, courier expects that passwords are encrypted with crypt. For example ISPConfig is storing the passwords in crypt format in the mysql database and that works fine with courier.

Thanks. The code in ViMbAdmin only supports MD5:

PHP Code:


		
			
    public function hashPassword( $scheme, $password )

    {

        switch( $scheme )

        {

            case 'md5':

                $this['password'] = md5( $password );

                break;



            case 'plain':

                $this['password'] = $password;

                break;



            default:

                die( 'Invalid password hash scheme in models/Mailbox.php hashPassword()' );

        }



        return $this['password'];

    }

I can easily modify it, except that the PHP crypt function has a great many variations, and I'm not clear how it should be called to get the desired result. (See http://php.net/crypt).

Code example to create a encrypted password:

Code:

$salt="$1$";

$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';

for ($n=0;$n<8;$n++) {

        $salt.=$base64_alphabet[mt_rand(0,63)];

}

$salt.="$";

$encrypted_password = crypt($unencrypted_password,$salt);

Thanks.

I understand the code ok, but not how Courier would be able to use the password. Courier receives the password as plain text, and unless I've missed something, the only thing that is stored in the database table is the encrypted password. If the encryption is done using a random salt, I don't see how Courier would be able to process the plain text password in order to do a comparison with the encrypted password, since Courier does not know the salt.

Courier knows the salt, as the salt is the first part of the encrypted password string.