1 (edited by simonlange 2014-02-17 09:37:58)

Topic: plain encryption_type for users

Hi,

Im using dbmailadmin latest version and i went in some trouble with dbmailadmin's way it does store user passwords into dbmail_users.

What i need is encryption_type "" (which means plain passwords)
what i get is encryption_type "md5"

The problem with md5 is that it cant be used for postfix/mysql/auth mechanism.

So now im lookin for a way (a setting?) within dbmailadmin which tells dbmailadmin to use a specific encryption_type (or plain) and not only md5 by default.

anyone?

Simon

2

Re: plain encryption_type for users

SOLVED (myself):

The Solution:

File: libs/dbmail_mysql/user.py
Diff:
226,229c226,227
<                 if settings.SQL_DEFAULT_PASSWD_SCHEME == 'PLAIN':
<                     columns['encryption_type'] = ''
<                 else:
<                     columns['encryption_type'] = settings.SQL_DEFAULT_PASSWD_SCHEME.lower()
---
>                 columns['encryption_type'] = settings.SQL_DEFAULT_PASSWD_SCHEME.lower()
>

File: libs/settings.py
Diff:
112c112
< SQL_DEFAULT_PASSWD_SCHEME = 'PLAIN'
---
> SQL_DEFAULT_PASSWD_SCHEME = 'MD5'


And how it works:
libs/settings.py and its setting SQL_DEFAULT_PASSWD_SCHEME does set the encryption of dbmailadmin which is used for setting passwords for created users.

However, dbmailadmin has a lil bug because dbmail3.x does not know encryption_type "plain" anymore. if you want plain password that field in sql table dbmail_users MUST be "".

thats why i had to fix the directive in libs/dbmail_mysql/user.py
The problam was that dbmailadmin wrote into encryption_type "plain" because it did simply use the SQL_DEFAULT_PASSWD_SCHEME-value without recognizing that dbmail3 has changed its behavour to dbmail2.



Why this was so important:
If you use sasl authentication for postfix with dbmail via mysql the stored password in dbmail_users MUST be plaintext!!! otherwise authentication via smtp WONT work.


Anyhow, problem solved.

Suggestion:
please fix this in the community version and maybe put in into the documentation or better create a setting into settings.ini so ppl with less skills dont run into frustration by trying to solve that issue. wink

best regards

Simon

3

Re: plain encryption_type for users

simonlange wrote:

The problem with md5 is that it cant be used for postfix/mysql/auth mechanism.

Which SASL type do you use in Postfix for authentication?
MD5 is the normal one, should be supported by most SASL authentication server.

4

Re: plain encryption_type for users

You are right if u use sasl authentication daemon.
BUT
If u use DBMail and Postfix it just makes no real sense to make things complicated by using a poor documentated sasldaemon especialy if you want to use it in combination with dbmail3 and dbmailadmin and you dont need sasls usually. the comon dbmail-way is to use a sql statement (see exim, see postfix, ...) for smtp-authentication. the problem with postfix that itself want to compare the stored password with the one told by the client, but cant if the stored one is a crypted password.

however, the bug in dbmailadmin has been fixed, and proper authentication for smtp works now like a charme... again. smile
and thats just without any sasl daemon running - as it should be. big_smile only by comparing directly to db stored pwds.

btw: if u find a way to force postfix (without any external daemons) to hash transmitted pwd for comparing them to encrypted passwords, i may give it a try. for now, there is no way postfix could do that (without a seperate sasl daemon).

regards

Simon

5

Re: plain encryption_type for users

Cyrus-SASL does support MD5.
As our wiki tutorial shows, did you install package 'cyrus-sasl-md5'? Maybe other package name on different Linux/BSD distribution.

6

Re: plain encryption_type for users

maybe. but, im not using cyrus and why should i? wink that package btw does no even exist on ubuntu. wink
however, im using strictly dbmail and postfix. avoiding unneccessary daemons is a must.

what wiki u talkin about? link? i have not seen one tutorial in the wild which describes how to use md5 encrypted password in dbmail with postfix without external processing (e.g. sasl daemon). well, gimme that link please and i gonna look into it. although i got to admit that i dont expect much, since i would be pretty wondering if it has something i havent read yet. wink but how knows. big_smile

anyhow. working now. dbmailadmin's bug has been fixed. there is still a minor bug in the dashboard (messages 0) but that one has to wait. first i have to complete the mta. big_smile

best regards

Simon

7

Re: plain encryption_type for users

I'm afraid that you did it wrong.

*) First of all, plain password is dangerous.
*) I don't know how your mail server was setup, but it's unbelievable a mail server doesn't support password hashes like MD5.
*) The wiki tutorial i mentioned is the one i wrote for iRedMail users, used to integrate DBMail after you got a working iRedMail server:
http://www.iredmail.org/wiki/index.php? … QL.backend

Currently, only MySQL backend is available. it uses Cyrus-SASL as SASL authentication server, and it supports MD5 hashes.

8 (edited by simonlange 2014-02-17 23:04:48)

Re: plain encryption_type for users

ZhangHuangbin wrote:

I'm afraid that you did it wrong.

Im afraid u got no clue what u talking about. Dont take found bugs in ur software so personally. wink

ZhangHuangbin wrote:

*) First of all, plain password is dangerous.

"can be dangerous" - right. On the other hand. if the databases is compromised, the password is the smallest problem, since an attacker would have direct access to the mails itself. big_smile
the communication between server n client is not compromised.

ZhangHuangbin wrote:

*) I don't know how your mail server was setup, but it's unbelievable a mail server doesn't support password hashes like MD5.

Just read. i wrote it. Btw: MD5 ist pretty weak, so i wouldnt act like saying its the ultimate protection. a simple bruteforce against md5 ist pretty promising attempt to get the plain password back. yes, even salted ones.
anyhow, since this is ONLY affecting the stored password IN the users table of the database and NOT the communication between server n client this is not a problem so far.

ZhangHuangbin wrote:

*) The wiki tutorial i mentioned is the one i wrote for iRedMail users, used to integrate DBMail after you got a working iRedMail server:
http://www.iredmail.org/wiki/index.php? … QL.backend

Im not using a "iRedMail server". As written before im using ur "dbmailadmin" together with dbmail/postfix. Thats why ur wiki page is pretty pointless. Sorry. wink (btw: as forseen: i already knew that article and it has NOTHING usefull for dbmail/postfix/auth setup)

ZhangHuangbin wrote:

Currently, only MySQL backend is available. it uses Cyrus-SASL as SASL authentication server, and it supports MD5 hashes.

Well as said im not using iRedmailServer, AND as said im not interested in setting a dedicated authentication server up. If i want such i would use IPA which includes kerberos and ldap and would serve far more than ONE authentication attempt for smtp-auth. wink
Anyhow, its not wanted. The solution must work with dbmail/mysql/postfix ALONE. and it does.

Again: Fix the bug i mentioned (i did already provide a fix) and please consider adding a working setting-value in settings.ini allowing to choose which encryption type to use for dbmail users in the backend. btw: a feature which is provided by the really old dbmailadministrator for more than a decade now. just think about it.
i really like your piece of software so far and its a good start. that i did install apache2 ONLY for ur dbmailadmin proves that i like ur softwate so far. wink i hope it does develop. maybe some time to a language which is not bound to apache in the first place. wink

For me the thread is closed. im gonne unsubscribe it for now.

bb