My mail server is built largely using "how to" information here, and it is providing POP3 mail serving via Courier. User data is in MySQL and I'm using ViMbAdmin to manage the MySQL data. This works fine for plain text passwords. But if I change the passwords to being encrypted (ViMbAdmin uses MD5) then the password is rejected. With diagnostics turned up, there is a message in the log, which simply quotes the plain text password submitted by the mail client, and says it does not match the encrypted password (which it quotes) extracted from the database. The Courier configuration file giving the MySQL information is being modified to contain a reference to encrypted passwords at the same time as the field in the database was changed to encrypted. Is the wrong encryption being used? Or does Courier need some further configuration?
Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_loglevel = 2 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.webhosting-ace.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.webhosting-ace.net, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 maildrop_destination_recipient_limit = 1 virtual_mailbox_base = /var/vmail virtual_uid_maps = static:1003 virtual_gid_maps = static:1003 virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailboxes.cf virtual_alias_maps = mysql:/etc/postfix/virtual_forwardings.cf mailbox_command = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom home_mailbox = Maildir/ Wasn't sure which file you meant by "Courier config". The pop3d.cnf file is: Code: RANDFILE = /usr/lib/courier/pop3d.rand [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=US ST=NY L=New York O=Courier Mail Server OU=Automatically-generated POP3 SSL key CN=webhosting-ace.net [email protected] [ cert_type ] nsCertType = server And the authmysqlrc file is: Code: MYSQL_SERVER 127.0.0.1 MYSQL_USERNAME vimbadmin MYSQL_PASSWORD ?????????? MYSQL_SOCKET /var/run/mysqld/mysqld.sock MYSQL_OPT 0 MYSQL_DATABASE vimbadmin MYSQL_USER_TABLE mailbox MYSQL_CLEAR_PWFIELD password # if you use cleartext passwords - or - # MYSQL_CRYPT_PWFIELD password # if you use encrypted passwords MYSQL_UID_FIELD '1003' MYSQL_GID_FIELD '1003' MYSQL_LOGIN_FIELD username MYSQL_HOME_FIELD '/var/vmail/' as home MYSQL_NAME_FIELD name MYSQL_MAILDIR_FIELD maildir MYSQL_QUOTA_FIELD concat(quota,'S') MYSQL_WHERE_CLAUSE active=1
Try to comment out the: MYSQL_CLEAR_PWFIELD password line and remove the # in front of the line: MYSQL_CRYPT_PWFIELD password then restart courier authdaemon.
Thanks for your suggestion. I understand that is required to use encrypted passwords. But that is exactly what I did do, at the same time as changing the database table to make the passwords encrypted. The result was that connection attempts were refused, with the mail log showing an error message quoting the plain text password submitted through the mail client, and showing the encrypted password from the database, along with text telling me that they did not match. So what I'm trying to find out is whether Courier is expecting the same encryption as used by ViMbAdmin (i.e. MD5) or whether there is a need to specify the encryption used to Courier, or what.
The default encryption on Linux system is "crypt" and as far as I know, courier expects that passwords are encrypted with crypt. For example ISPConfig is storing the passwords in crypt format in the mysql database and that works fine with courier.
Thanks. The code in ViMbAdmin only supports MD5: PHP: public function hashPassword( $scheme, $password ) { switch( $scheme ) { case 'md5': $this['password'] = md5( $password ); break; case 'plain': $this['password'] = $password; break; default: die( 'Invalid password hash scheme in models/Mailbox.php hashPassword()' ); } return $this['password']; } I can easily modify it, except that the PHP crypt function has a great many variations, and I'm not clear how it should be called to get the desired result. (See http://php.net/crypt).
Code example to create a encrypted password: Code: $salt="$1$"; $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; for ($n=0;$n<8;$n++) { $salt.=$base64_alphabet[mt_rand(0,63)]; } $salt.="$"; $encrypted_password = crypt($unencrypted_password,$salt);
Thanks. I understand the code ok, but not how Courier would be able to use the password. Courier receives the password as plain text, and unless I've missed something, the only thing that is stored in the database table is the encrypted password. If the encryption is done using a random salt, I don't see how Courier would be able to process the plain text password in order to do a comparison with the encrypted password, since Courier does not know the salt.
Thanks very much. I've extended ViMbAdmin to handle crypt using your code, and it is working with Courier. Any thoughts on http://www.howtoforge.com/forums/showthread.php?p=260692#post260692 ?
