| View previous topic :: View next topic |
| Author |
Message |
Daivil
n00b
Joined: 10 Oct 2004
Posts: 51
|
 Posted: Mon Oct 18, 2010 8:29 am Post subject: Courier-imap : authentication works with similar password |
 |
|
Hi everybody,
I'm having a very strange behaviour with courier-imap/authlib authentication process.
I'm using mysql database for storing accounts credentials. In database, password are encrypted using ENCRYPT() embedded function.
The problem is a same account logs-in successfully with many "similar" password.
Example : if password in database is example2010. Log-in works with : example, example2, example9999 but does NOT work with exampl.
Here is my authmysqlrc :
| Quote: | MYSQL_SERVER localhost
MYSQL_USERNAME postfix
MYSQL_PASSWORD password
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_DATABASE postfix
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD '999'
MYSQL_GID_FIELD '999'
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD '/var/spool/mail/'
MYSQL_NAME_FIELD username
MYSQL_MAILDIR_FIELD maildir
|
And my authdaemonrc :
| Quote: | authmodulelist="authmysql "
authmodulelistorig="authuserdb authpam authshadow authmysql authcustom authpipe"
daemons=25
authdaemonvar=/var/lib/courier/authdaemon
DEBUG_LOGIN=2
DEFAULTOPTIONS=""
LOGGEROPTS=""
|
Login logs with real password :
| Quote: | Oct 18 10:24:46 nx3115 imapd: Connection, ip=[127.0.0.1]
Oct 18 10:24:46 nx3115 authdaemond: received auth request, service=imap, authtype=login
Oct 18 10:24:46 nx3115 authdaemond: authmysql: trying this module
Oct 18 10:24:46 nx3115 authdaemond: authmysqllib: connected. Versions: header 50090, client 50090, server 50090
Oct 18 10:24:46 nx3115 authdaemond: SQL query: SELECT username, password, "", '999', '999', '/var/spool/mail/', maildir, "", username, "" FROM mailbox WHERE username = 'email@mydomain.com'
Oct 18 10:24:46 nx3115 authdaemond: password matches successfully
Oct 18 10:24:46 nx3115 authdaemond: authmysql: sysusername=<null>, sysuserid=999, sysgroupid=999, homedir=/var/spool/mail/, address=email@mydomain.com, fullname=email@mydomain.com, maildir=path/to/dir, quota=<null>, options=<null>
Oct 18 10:24:46 nx3115 authdaemond: authmysql: clearpasswd=<null>, passwd=encryptedpassword.
Oct 18 10:24:46 nx3115 authdaemond: Authenticated: sysusername=<null>, sysuserid=999, sysgroupid=999, homedir=/var/spool/mail/, address=email@mydomain.com, fullname=email@mydomain.com, maildir=path/to/dur/, quota=<null>, options=<null>
Oct 18 10:24:46 nx3115 authdaemond: Authenticated: clearpasswd=example2010, passwd=encryptedpassword.
Oct 18 10:24:46 nx3115 imapd: LOGIN, user=email@mydomain.com, ip=[127.0.0.1], port=[38877], protocol=IMAP
Oct 18 10:24:46 nx3115 imapd: LOGOUT, user=email@mydomain.com ip=[127.0.0.1], headers=0, body=0, rcvd=25, sent=180, time=0
|
Login logs with similar password :
| Quote: | Oct 18 10:32:24 nx3115 imapd: Connection, ip=[127.0.0.1]
Oct 18 10:32:24 nx3115 authdaemond: received auth request, service=imap, authtype=login
Oct 18 10:32:24 nx3115 authdaemond: authmysql: trying this module
Oct 18 10:32:24 nx3115 authdaemond: SQL query: SELECT username, password, "", '999', '999', '/var/spool/mail/', maildir, "", username, "" FROM mailbox WHERE username = 'email@mydomain.com'
Oct 18 10:32:24 nx3115 authdaemond: password matches successfully
Oct 18 10:32:24 nx3115 authdaemond: authmysql: sysusername=<null>, sysuserid=999, sysgroupid=999, homedir=/var/spool/mail/, address=email@mydomain.com, fullname=email@mydomain.com, maildir=path/to/dir/, quota=<null>, options=<null>
Oct 18 10:32:24 nx3115 authdaemond: authmysql: clearpasswd=<null>, passwd=sameencryptedpassword.
Oct 18 10:32:24 nx3115 authdaemond: Authenticated: sysusername=<null>, sysuserid=999, sysgroupid=999, homedir=/var/spool/mail/, address=email@mydomain.com, fullname=email@mydomain.com, maildir=path/to/dir/, quota=<null>, options=<null>
Oct 18 10:32:24 nx3115 authdaemond: Authenticated: clearpasswd=example, passwd=sameencryptedpassword.
Oct 18 10:32:24 nx3115 imapd: LOGIN, user=email@mydomain.com, ip=[127.0.0.1], port=[47918], protocol=IMAP
Oct 18 10:32:24 nx3115 imapd: LOGOUT, user=email@mydomain.com, ip=[127.0.0.1], headers=0, body=0, rcvd=25, sent=180, time=0
|
Any idea?
Thanks for you help ! |
|
| Back to top |
|
 |
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
|
| Back to top |
|
|
Daivil
n00b
Joined: 10 Oct 2004
Posts: 51
|
| Posted: Mon Oct 18, 2010 11:42 am Post subject: |
|
|
Omg...
What do you suggest then? Using anything else but ENCRYPT for passwords? |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Mon Oct 18, 2010 11:47 am Post subject: |
|
|
I use SHA1 hashes in the crypted field, the value looks like "{SHA}....." where the ... is the base64 string of the SHA1 hash of the password.
I've written a little webinterface for my mysql tables which are in use by postfix, courier and pure-ftpd (and a small patch for pure-ftpd to work with SHA1).
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
