German Umlauts in Mail-Passwords

Discussion in 'General' started by renky, Nov 10, 2015.

  1. renky

    renky New Member

    Hi

    I figured out that german umlauts seems not to work in mailbox passwords. Is this correct? A customer of mine told me, that he couldn't log into his mailaccount with Thunderbird and with the Roundcube-installation on our server. After several tests i found out, that umlauts in passwords are the reason. If I use umlauts, ispconfig (3.0.5.4p8) accepts it, saves it, but afterwards I cannot log into the mailbox...

    Maybe this has something to do with the backend... I'm using dovecot (debian jessie), mbox mailbox format (but I think mailbox format doesn't matter in this case).

    Best regards
    dm
     
  2. renky

    renky New Member

    Does nobody have expirience if special characters and umlauts are allowed and working in mailbox passwords?
     
  3. matthias

    matthias New Member Moderator

    I remember having a similar problem once. I don't know why it happens, I can only assume the password hashed by ISPConfig is encoded in one character set, the password hashed by Postfix/Dovecot to check for a correct login is hashed in a different character set. Then, the umlauts are two different binary representations resulting in two different hashes and thus, the login fails.

    If in doubt, it's best to only use the chars the password generation function of ISPConfig offers, which would be upper- and lowercase letters, numbers and the special chars !, #, @ and _, all of which are part of the ASCII charset and have the same binary encoding in ANSI, Windows-1252, UTF-8 etc.
     
  4. renky

    renky New Member

    Hi

    I now found the reason through ubuntuusers-Forum (German):
    https://forum.ubuntuusers.de/topic/passwoerter-mit-umlauten-in-dovecot-erlauben/

    The Problem is, that clients send Passwords as ISO-8859-1 and the passwords are hashed as UTF-8. The Problem is: not all clients seems to send passwords as ISO - so both possibilities must be checket. The solution like in this article would be changing /etc/dovecot/dovecot-sql.conf and add the following to the sql-password-query:
    password_query = SELECT NULL AS password, 'Y' as nopassword, username AS user FROM mailbox WHERE username = '%u' AND ( password = MD5('%w') OR password = MD5(CONVERT('%w' USING latin1)) OR password = MD5(CONVERT(_latin1'%w' USING utf8)))

    The question is: will that work? I tried, but I did not get a working dovecot-login (even without umlauts!!) - so maybe this "nopassword" setting does not work in every environment, or must be set up?!

    But in the end: wouldn't it be the right way to permit everything except ascii 1-127?? Even in ispconfig UI?

    best regards
    dm
     
  5. matthias

    matthias New Member Moderator

    Encoding problems, just as I expected.

    One solution would certainly be to alter the password query akin to what you supplied. I don't know if it works exactly like this, I haven't looked into the Dovecot config files for too long. Also, this would have to be altered for Postfix as well. And, most importantly, it may break during ISPConfig updates.

    Enforcing only ASCII characters is the other solution. If you enforce them via the password validity check, this would probably require changes to some Javascript files, which, again, may break during ISPConfig updates.
    Otherwise, enforce them by telling your users you'll hit them if they don't comply ;)
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Changing something in ispconfig is not an issue as long as the changes were added upstream in the git server when we found a solution.

    The password encryption function used in ISPConfig is crypt, not md5. So it might work but you have to use a different hashing algorithm in your query.
     

Share This Page