Current time: 12-23-2024, 02:27 AM Hello There, Guest! (LoginRegister)


Post Reply 
engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5
Author Message
christian. Offline


Posts: 1
Joined: Mar 2009
Reputation: 0
Post: #1
engine/ispcp-mbox-mngr changes to make Dovecot accept CRAM-MD5 and Digest-MD5
I am running ispcp Omega 1.0.5 on Gentoo with Dovecot 1.2.11 as my PO, set up with the how-to provided by the wiki and forum. Since I prefer to submit passwords encrypted over the line, I patched the ispcp-mbox-mngr to create password files for CRAM-MD5 and Digest-MD5 authentication. I have attached my changes to ispcp-mbox-mngr which remove the courier-sasl support and provide the password files. Use at your own risk.

There is one litte detail to the Digest-MD5 authentication: In order for it to work with KMail (my mail client of choice), I had to limit the use of authentication realms to one: "default". That way it works out of the box with KMail -- meaning you do not need to change the source code of KMail or Dovecot.

The digest-md5 credentials should be:
username: "user@domain.tld"
realm: "default" (KMail won't let you define that and just takes the one announced by Dovecot)
password: "..."

You will need the following in /etc/dovecot/dovecot.conf:

Code:
auth_realms = default

auth default {
  mechanisms = plain login cram-md5 digest-md5

  passdb checkpassword {
    args = /usr/lib/ispcp/engine/ispcp-dovecot-mngr
  }

  passdb passwd-file {
    args = scheme=cram-md5 /etc/dovecot/cram-md5.db
  }

  passdb passwd-file {
    args = scheme=digest-md5 /etc/dovecot/digest-md5.db
  }
  
  [...]
}
I kept the checkpassword via ispcp-dovecot-mngr option from the how-to in my configuration to allow plain-text logins.

The beautiful thing about this enhancement is that Postfix -- assuming it uses dovecot-sasl -- implicitly can authenticate via CRAM-MD5 Digest-MD5, too.

You will need the Tie::File::AsHash Perl module.

I am aware of the fact, that my changes are not configurable at the moment; meaning: The locations of the password files are hardcoded into ispcp-mbox-mngr.

And as an additional security measure you should set the owner of the password files to root:root and restrict group and other from any access.

If I have forgotten any information necessary to replicate my changes successfully, let me know. Improvements are very welcome, since this is more or less a working draft and I don't know perl very well.

PS: Your forum won't accept *.diff, but does *.txt as attachments?


Attached File(s)
.txt  ispcp-mbox-mngr.txt (Size: 7.05 KB / Downloads: 41)
05-14-2010 02:06 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)