Courier and encrypted passwords

[counterpoint]

My mail server is built largely using "how to" information here, and it is providing POP3 mail serving via Courier. User data is in MySQL and I'm using ViMbAdmin to manage the MySQL data. This works fine for plain text passwords.

But if I change the passwords to being encrypted (ViMbAdmin uses MD5) then the password is rejected. With diagnostics turned up, there is a message in the log, which simply quotes the plain text password submitted by the mail client, and says it does not match the encrypted password (which it quotes) extracted from the database.

The Courier configuration file giving the MySQL information is being modified to contain a reference to encrypted passwords at the same time as the field in the database was changed to encrypted.

Is the wrong encryption being used? Or does Courier need some further configuration?

[falko]

Can you post your /etc/postfix/main.cf and your Courier configuration?

[counterpoint]

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 2

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.webhosting-ace.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.webhosting-ace.net, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
maildrop_destination_recipient_limit = 1
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:1003
virtual_gid_maps = static:1003
virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailboxes.cf
virtual_alias_maps = mysql:/etc/postfix/virtual_forwardings.cf
mailbox_command = 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/

Wasn't sure which file you meant by "Courier config". The pop3d.cnf file is:

Code:

RANDFILE = /usr/lib/courier/pop3d.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=US
ST=NY
L=New York
O=Courier Mail Server
OU=Automatically-generated POP3 SSL key
CN=webhosting-ace.net
emailAddress=postmaster@example.com


[ cert_type ]
nsCertType = server

And the authmysqlrc file is:

Code:

MYSQL_SERVER           127.0.0.1
MYSQL_USERNAME         vimbadmin
MYSQL_PASSWORD         ??????????
MYSQL_SOCKET           /var/run/mysqld/mysqld.sock
MYSQL_OPT              0
MYSQL_DATABASE         vimbadmin
MYSQL_USER_TABLE       mailbox
MYSQL_CLEAR_PWFIELD    password
# if you use cleartext passwords - or -
# MYSQL_CRYPT_PWFIELD  password   
# if you use encrypted passwords
MYSQL_UID_FIELD        '1003'
MYSQL_GID_FIELD        '1003'
MYSQL_LOGIN_FIELD      username
MYSQL_HOME_FIELD       '/var/vmail/' as home
MYSQL_NAME_FIELD       name
MYSQL_MAILDIR_FIELD    maildir
MYSQL_QUOTA_FIELD      concat(quota,'S')
MYSQL_WHERE_CLAUSE     active=1

[till]

Try to comment out the:

MYSQL_CLEAR_PWFIELD password

line and remove the # in front of the line:

MYSQL_CRYPT_PWFIELD password

then restart courier authdaemon.

[counterpoint]

Thanks for your suggestion.

I understand that is required to use encrypted passwords. But that is exactly what I did do, at the same time as changing the database table to make the passwords encrypted.

The result was that connection attempts were refused, with the mail log showing an error message quoting the plain text password submitted through the mail client, and showing the encrypted password from the database, along with text telling me that they did not match.

So what I'm trying to find out is whether Courier is expecting the same encryption as used by ViMbAdmin (i.e. MD5) or whether there is a need to specify the encryption used to Courier, or what.

[till]

The default encryption on Linux system is "crypt" and as far as I know, courier expects that passwords are encrypted with crypt. For example ISPConfig is storing the passwords in crypt format in the mysql database and that works fine with courier.

[counterpoint]

Thanks. The code in ViMbAdmin only supports MD5:

PHP Code:

    public function hashPassword( $scheme, $password )
    {
        switch( $scheme )
        {
            case 'md5':
                $this['password'] = md5( $password );
                break;

            case 'plain':
                $this['password'] = $password;
                break;

            default:
                die( 'Invalid password hash scheme in models/Mailbox.php hashPassword()' );
        }

        return $this['password'];
    } 


I can easily modify it, except that the PHP crypt function has a great many variations, and I'm not clear how it should be called to get the desired result. (See http://php.net/crypt).

[till]

Code example to create a encrypted password:

Code:

$salt="$1$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
for ($n=0;$n<8;$n++) {
	$salt.=$base64_alphabet[mt_rand(0,63)];
}
$salt.="$";
$encrypted_password = crypt($unencrypted_password,$salt);

[counterpoint]

Thanks.

I understand the code ok, but not how Courier would be able to use the password. Courier receives the password as plain text, and unless I've missed something, the only thing that is stored in the database table is the encrypted password. If the encryption is done using a random salt, I don't see how Courier would be able to process the plain text password in order to do a comparison with the encrypted password, since Courier does not know the salt.

[till]

Courier knows the salt, as the salt is the first part of the encrypted password string.