engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5

engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5 - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Enhancements (/forum-43.html)
+--- Thread: engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5 (/thread-10682.html)

engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5 - christian. - 05-14-2010 02:06 AM

I am running ispcp Omega 1.0.5 on Gentoo with Dovecot 1.2.11 as my PO, set up with the how-to provided by the wiki and forum. Since I prefer to submit passwords encrypted over the line, I patched the ispcp-mbox-mngr to create password files for CRAM-MD5 and Digest-MD5 authentication. I have attached my changes to ispcp-mbox-mngr which remove the courier-sasl support and provide the password files. Use at your own risk.

There is one litte detail to the Digest-MD5 authentication: In order for it to work with KMail (my mail client of choice), I had to limit the use of authentication realms to one: "default". That way it works out of the box with KMail -- meaning you do not need to change the source code of KMail or Dovecot.

The digest-md5 credentials should be:
username: "user@domain.tld"
realm: "default" (KMail won't let you define that and just takes the one announced by Dovecot)
password: "..."

You will need the following in /etc/dovecot/dovecot.conf:

Code:

auth_realms = default

auth default {

  mechanisms = plain login cram-md5 digest-md5

  passdb checkpassword {

    args = /usr/lib/ispcp/engine/ispcp-dovecot-mngr

  }

  passdb passwd-file {

    args = scheme=cram-md5 /etc/dovecot/cram-md5.db

  }

  passdb passwd-file {

    args = scheme=digest-md5 /etc/dovecot/digest-md5.db

  }

  [...]

}

I kept the checkpassword via ispcp-dovecot-mngr option from the how-to in my configuration to allow plain-text logins.

The beautiful thing about this enhancement is that Postfix -- assuming it uses dovecot-sasl -- implicitly can authenticate via CRAM-MD5 Digest-MD5, too.

You will need the Tie::File::AsHash Perl module.

I am aware of the fact, that my changes are not configurable at the moment; meaning: The locations of the password files are hardcoded into ispcp-mbox-mngr.

And as an additional security measure you should set the owner of the password files to root:root and restrict group and other from any access.

If I have forgotten any information necessary to replicate my changes successfully, let me know. Improvements are very welcome, since this is more or less a working draft and I don't know perl very well.

PS: Your forum won't accept *.diff, but does *.txt as attachments?