1

Topic: imap auth method CRAM-MD5 with LDAP

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

Hi, I purchased a license earlier this year, and am about to migrate a lot of accounts to iRedMail-Pro with LDAP.

Many existing clients are set up with CRAM-MD5 authentication, which i need to be able to support when migrating to iRedMail.
We have written our own migration script based on your create_mail_user_OpenLDAP.py, but adding domains, aliases, groups and catch alls. So far so good. We migrated the userPassword attribute in plain text.

- I can log in through iredadmin and through roundcube with all imported accounts
- I can log in via imap via "Login" (Plain) with MUAs
- I cannot log in via CRAM-MD5.

What I tried:
- Changed in dovecot.conf:

auth_mechanisms = PLAIN LOGIN CRAM-MD5 SCRAM-SHA-1
auth_debug = yes

The output of the log is:

Sep 30 00:39:20 auth: Debug: ldap(user.name@example.com,xx.xx.xx.xx,<xxxxxxx>): passdb doesn't support credential lookups

From what I can see, your LDAP schema is already set up in a way so that dovecot can read the userPassword.
The userPassword in the LDIFs was imported without any {} prefix, like this:
userPassword: blabla

Any help would be greatly appreciated. We are planning an even bigger migration after the current one (with a new license), if all succeeds well.

Thank You in advance for any hints on how to resolve this issue.

Lorenzo

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: FreeBSD 10
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: imap auth method CRAM-MD5 with LDAP

OK, here's what i did for testing, and it works for me:

1: Use only 'CRAM-MD5 as auth mech for testing in Dovecot. restart Dovecot service.

auth_mechanisms = CRAM-MD5

2: Generate CRAM-MD5 password with command 'doveadm pw', then reset my mail user password to this newly generated one. For example:

{CRAM-MD5}b239b858b2e0174497bb99adfd6b81c01b40b289d09f49d3d67c721c9fb88b12

3: In Thunderbird, i use 'Encrypted password' for "Authentication method" for both IMAP/SMTP. Sending email via SMTP over TLS and receiving email via IMAP over TLS are working as expected.

3

Re: imap auth method CRAM-MD5 with LDAP

Maybe you should prefix password scheme in 'userPassword:', and it should work.

4 (edited by lopez-iredmail 2014-10-01 16:26:01)

Re: imap auth method CRAM-MD5 with LDAP

ZhangHuangbin wrote:

2: Generate CRAM-MD5 password with command 'doveadm pw', then reset my mail user password to this newly generated one. For example:

{CRAM-MD5}b239b858b2e0174497bb99adfd6b81c01b40b289d09f49d3d67c721c9fb88b12

Hi - thanx a lot for your quick answer, first of all!

I tried to do what you wrote, but no success. It still states the same in the logs and the MUAs can't log in. Just for curiosity, how did you replace your password with that string? Using ldapmodify? or phpldapadmin, or iredadmin?

Also, even if I succeed in creating the correct password for CRAM-MD5 (and manage to replace the passwords in my exported LDIFs with ones created by 'doveadm pw') - will iRedAdminPro do the same when creating passwords for new users?

Thanks a lot in advance,

5

Re: imap auth method CRAM-MD5 with LDAP

You can try ldapmodify or phpLDAPadmin.

When you reset password with phpLDAPadmin, please choose 'clear' in the drop-down list, then paste CRAM-MD5 hash as password. After stored in LDAP, it will be recognized (by Dovecot) as CRAM-MD5 due to the prefix '{CRAM-MD5}'.

Unfortunately, the latest stable release of iRedAdmin-Pro cannot generate CRAM-MD5 hash. Let me see how to generate it first, come back to you later.

6

Re: imap auth method CRAM-MD5 with LDAP

I updated the development edition of iRedAdmin-Pro moment ago, it's now able to generate and verify 'CRAM-MD5' password hash with command `doveadm pw`.

Would you like to give it a try? i can mail you patch for the latest iRedAdmin-Pro-LDAP-2.1.2.

7

Re: imap auth method CRAM-MD5 with LDAP

Did a quick test, CRAM-MD5 works with MySQL/PostgreSQL backends, but not LDAP.
The test i mentioned in my previous post was done with MySQL backend, didn't realize Dovecot doesn't support it with LDAP. Sorry.

8 (edited by lopez-iredmail 2014-10-02 02:45:14)

Re: imap auth method CRAM-MD5 with LDAP

ZhangHuangbin wrote:

Did a quick test, CRAM-MD5 works with MySQL/PostgreSQL backends, but not LDAP.
The test i mentioned in my previous post was done with MySQL backend, didn't realize Dovecot doesn't support it with LDAP. Sorry.

OK - I got it working with Both PLAIN and CRAM-MD5 with the following modification: Letting dovecot handle the auth instead of delegating the authentication to letting LDAP bind the user.

The most important change was:
In dovecot-ldap.conf:

auth_bind       = no

which causes the dovecot-ldap plugin to do the auth itself, instead of delegating it to an LDAP-bind request.

Also, in addition to that, in dovecot.conf (as I want to support both LOGIN/PLAIN and CRAM-MD5):

auth_mechanisms = PLAIN LOGIN CRAM-MD5

Now the most interesting part:

  • What can we use in userPassword

  • Are multiple values of userPassword usable in this construct?

  • Which values of userPassword work?

  • How does postfix behave?

  • How does iredadmin behave?

  • How does roundcube behave?

  • Which combinations work with which settings in the MUAs?

There are several combinations possible, as I found out. As you can imagine, they are a lot, and I tried a few.

To put the sum at the beginning:

Using the above "no" modification in dovecot-ldap.conf, and using a PLAIN password ONLY in userPassword (without the {PLAIN} before!) works fine with both LOGIN/PLAIN, CRAM-MD5 MUA setting and with all services (dovecot, postfix, iredadmin, roundcube).

Of course it is much nicer to have just hashed/crypted passwords stored in the database. Nicely enough, just putting the {CRAM-MD5} version generated by doveadm pw in the userPassword works fine with both LOGIN/PLAIN, CRAM-MD5 MUA settings (I used Apple Mail to test), but does not auth with iredadmin.

This is probably due to the fact that you use LDAP bind to authenticate to the interface, which does not understand/support the {CRAM-MD5} method. Also, it defeats any other LDAP binding should it be needed. So, bad idea, LDAP-wise.

So, to support LOGIN, PLAIN, CRAM-MD5 and some crypted LDAP bind method, we have to store two userPassword values. The CRAM-MD5 one generated by doveadm pw, and then a hashed one supported by LDAP.

I tried several combinations, and the one which ended up working with all (maybe there are others), is:

# password used for this test is "test"
doveadm pw -s CRAM-MD5 -> {CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
doveadm pw -s SSHA.b64 -> {SSHA.B64}Hs42O+jsTwzn97RMAUqqRW563Jqy4OGt

I took those two and put them into my LDIF file. Caution:
- The order is relevant for dovecot, postfix and co: CRAM-MD5 MUST be the first, because dovecot only uses the first when it finds more than one, from what I can see.
- The SSHA version must be generated with -s SSHA.b64, but only SSHA (without .b64) has to be put in the parenthesis:

userPassword: {CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
userPassword: {SSHA}Hs42O+jsTwzn97RMAUqqRW563Jqy4OGt

This variation seems to work with all items (the mail daemons, ldap and iredadmin).

So, after this research, it would be nice...:

if you, after testing/confirming that what I wrote works for you too (I might have missed something in all the tries...) could modify the code of iredadmin pro to be able to put those two correctly generated values in userPassword when saving.

Or at least, to be able to store the plain text (for some reason, STORE_PASSWORD_IN_PLAIN_TEXT = True did not seem to work in my settings.py? Which daemon do I have to restart to make it work?)

Thanx in advance - Your great support is a very good reason to stick to iRedMail! smile

Greetings,

9

Re: imap auth method CRAM-MD5 with LDAP

Nice finding.

lopez-iredmail wrote:
auth_bind       = no

which causes the dovecot-ldap plugin to do the auth itself, instead of delegating it to an LDAP-bind request.

Great hint, it helps me understand why it doesn't work. smile

lopez-iredmail wrote:
  • What can we use in userPassword

  • Are multiple values of userPassword usable in this construct?

  • Which values of userPassword work?

I guess 'SSHA' password hash works (with 'auth_bind = no' in dovecot-ldap.conf), and no multiple userPassword is required. Did you try it? If it doesn't work, the simplest way to make 'CRAM-MD5' password work is improving iRedAdmin-Pro to make it supports authentication with 'CRAM-MD5'. Please do let me know whether or not SSHA works.

And, personally, i don't think it's a good idea/solution to use duplicate userPassword. Storing password in plain text should never be a choice.

lopez-iredmail wrote:

How does postfix behave?

Postfix is configured to use Dovecot as SASL server, so all user authentication work are done by Dovecot. That means, if Dovecot can verify the password hash, user authentication via SMTP is ok.

lopez-iredmail wrote:

How does iredadmin behave?

Currently, iRedAdmin behaves like "auth_bind = yes" in dovecot-ldap.conf, it simply performs LDAP bind with submitted username (email) and password for login authentication. So if LDAP server itself cannot verify password hash, you cannot login to iRedAdmin.

I will try to improve this behaviour in future release, make it works like "auth_bind = no" in dovecot-ldap.conf, or as addition method.

lopez-iredmail wrote:

How does roundcube behave?

Roundcube doesn't authenticate user, it's done in IMAP protocol. That means, it's done by Dovecot.

lopez-iredmail wrote:

Or at least, to be able to store the plain text (for some reason, STORE_PASSWORD_IN_PLAIN_TEXT = True did not seem to work in my settings.py? Which daemon do I have to restart to make it work?)

You have to restart Apache/Nginx web service if you changed any file of iRedAdmin.
Again, please don't even think about storing password in plain text.

lopez-iredmail wrote:

Thanx in advance - Your great support is a very good reason to stick to iRedMail! smile

Glad to hear that. smile

10

Re: imap auth method CRAM-MD5 with LDAP

Hi ZhangHuangbin,

Thanks for Your Feedback!

First, I apologize for the formatting of my post - all the questions in the list were not meant to you, they were actually a summary of the questions I posed to myself (and think solved) with my tries - so sorry for the time it took you to go through them hmm

As for the answers:

ZhangHuangbin wrote:

I guess 'SSHA' password hash works (with 'auth_bind = no' in dovecot-ldap.conf), and no multiple userPassword is required. Did you try it?

It doesn't work  because it can't work: You can't derive one hash for a string from another hash. In this case, Dovecot can't derive the needed values for the CRAM-MD5 auth starting from an SSHA sum. With only a plain userPassword, of course it works because he can, but If you store only the SSHA userPassword and then choose CRAM-MD5 in the mail client, the client will fail to connect and dovecot will write in dovecot.log: "Requested CRAM-MD5 scheme, but we have only SSHA".

(See http://en.wikipedia.org/wiki/CRAM-MD5#Weaknesses - where Dovecot is mentioned. Helped me understand it, and also to understand how the heck they could store something hashed in the first place for a procedure that would otherwise need the plain password to proceed.).

ZhangHuangbin wrote:

If it doesn't work, the simplest way to make 'CRAM-MD5' password work is improving iRedAdmin-Pro to make it supports authentication with 'CRAM-MD5'. Please do let me know whether or not SSHA works.

I disagree: I think that you're doing well using the LDAP binding in iRedAdminPro! smile I really think that two userPassword values {CRAM-MD5} and {SSHA} are the best solution: Because it is only way to support CRAM-MD5 and have only crypted passwords in the database and keep the compatibility with all authentications that use LDAP bind (including iRedAdminPro). The latter is a very important aspect for me (and I think also for others who chose LDAP), because it means that other integrations based on LDAP binding remain possible.

ZhangHuangbin wrote:

Storing password in plain text should never be a choice.

I completely agree smile Please help me be able to do it by adding multiple values to userPassword (I can also try to walk through the code of iRedAdminPro and find out how to do it myself, but it would be great to keep upwards compatibility with your updates and not stay stuck with my modifications...)

Thanks a lot in Advance,

Lorenzo

11

Re: imap auth method CRAM-MD5 with LDAP

Hi again - I have a patch ready to propose for libs/iredpwd.py - can you send me your email address (via the one I used to register), so that I can send you the patch for review?

Greetings,