Courier and encrypted passwords

Discussion in 'HOWTO-Related Questions' started by counterpoint, Jul 31, 2011.

  1. counterpoint

    counterpoint New Member

    My mail server is built largely using "how to" information here, and it is providing POP3 mail serving via Courier. User data is in MySQL and I'm using ViMbAdmin to manage the MySQL data. This works fine for plain text passwords.

    But if I change the passwords to being encrypted (ViMbAdmin uses MD5) then the password is rejected. With diagnostics turned up, there is a message in the log, which simply quotes the plain text password submitted by the mail client, and says it does not match the encrypted password (which it quotes) extracted from the database.

    The Courier configuration file giving the MySQL information is being modified to contain a reference to encrypted passwords at the same time as the field in the database was changed to encrypted.

    Is the wrong encryption being used? Or does Courier need some further configuration?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Can you post your /etc/postfix/main.cf and your Courier configuration?
     
  3. counterpoint

    counterpoint New Member

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_tls_loglevel = 2
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = mail.webhosting-ace.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = localhost.webhosting-ace.net, localhost
    relayhost = 
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    maildrop_destination_recipient_limit = 1
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:1003
    virtual_gid_maps = static:1003
    virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains.cf
    virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailboxes.cf
    virtual_alias_maps = mysql:/etc/postfix/virtual_forwardings.cf
    mailbox_command = 
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain = 
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    
    Wasn't sure which file you meant by "Courier config". The pop3d.cnf file is:

    Code:
    RANDFILE = /usr/lib/courier/pop3d.rand
    
    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    prompt = no
    
    [ req_dn ]
    C=US
    ST=NY
    L=New York
    O=Courier Mail Server
    OU=Automatically-generated POP3 SSL key
    CN=webhosting-ace.net
    emailAddress=[email protected]
    
    
    [ cert_type ]
    nsCertType = server
    
    And the authmysqlrc file is:

    Code:
    MYSQL_SERVER           127.0.0.1
    MYSQL_USERNAME         vimbadmin
    MYSQL_PASSWORD         ??????????
    MYSQL_SOCKET           /var/run/mysqld/mysqld.sock
    MYSQL_OPT              0
    MYSQL_DATABASE         vimbadmin
    MYSQL_USER_TABLE       mailbox
    MYSQL_CLEAR_PWFIELD    password
    # if you use cleartext passwords - or -
    # MYSQL_CRYPT_PWFIELD  password   
    # if you use encrypted passwords
    MYSQL_UID_FIELD        '1003'
    MYSQL_GID_FIELD        '1003'
    MYSQL_LOGIN_FIELD      username
    MYSQL_HOME_FIELD       '/var/vmail/' as home
    MYSQL_NAME_FIELD       name
    MYSQL_MAILDIR_FIELD    maildir
    MYSQL_QUOTA_FIELD      concat(quota,'S')
    MYSQL_WHERE_CLAUSE     active=1
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to comment out the:

    MYSQL_CLEAR_PWFIELD password

    line and remove the # in front of the line:

    MYSQL_CRYPT_PWFIELD password

    then restart courier authdaemon.
     
  5. counterpoint

    counterpoint New Member

    Thanks for your suggestion.

    I understand that is required to use encrypted passwords. But that is exactly what I did do, at the same time as changing the database table to make the passwords encrypted.

    The result was that connection attempts were refused, with the mail log showing an error message quoting the plain text password submitted through the mail client, and showing the encrypted password from the database, along with text telling me that they did not match.

    So what I'm trying to find out is whether Courier is expecting the same encryption as used by ViMbAdmin (i.e. MD5) or whether there is a need to specify the encryption used to Courier, or what.
     
    Last edited: Aug 1, 2011
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The default encryption on Linux system is "crypt" and as far as I know, courier expects that passwords are encrypted with crypt. For example ISPConfig is storing the passwords in crypt format in the mysql database and that works fine with courier.
     
  7. counterpoint

    counterpoint New Member

    Thanks. The code in ViMbAdmin only supports MD5:

    PHP:
        public function hashPassword$scheme$password )
        {
            switch( 
    $scheme )
            {
                case 
    'md5':
                    
    $this['password'] = md5$password );
                    break;

                case 
    'plain':
                    
    $this['password'] = $password;
                    break;

                default:
                    die( 
    'Invalid password hash scheme in models/Mailbox.php hashPassword()' );
            }

            return 
    $this['password'];
        }
    I can easily modify it, except that the PHP crypt function has a great many variations, and I'm not clear how it should be called to get the desired result. (See http://php.net/crypt).
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Code example to create a encrypted password:

    Code:
    $salt="$1$";
    $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
    for ($n=0;$n<8;$n++) {
    	$salt.=$base64_alphabet[mt_rand(0,63)];
    }
    $salt.="$";
    $encrypted_password = crypt($unencrypted_password,$salt);
     
  9. counterpoint

    counterpoint New Member

    Thanks.

    I understand the code ok, but not how Courier would be able to use the password. Courier receives the password as plain text, and unless I've missed something, the only thing that is stored in the database table is the encrypted password. If the encryption is done using a random salt, I don't see how Courier would be able to process the plain text password in order to do a comparison with the encrypted password, since Courier does not know the salt.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Courier knows the salt, as the salt is the first part of the encrypted password string.
     
  11. counterpoint

    counterpoint New Member

Share This Page