OK, here's what i did for testing, and it works for me:

1: Use only 'CRAM-MD5 as auth mech for testing in Dovecot. restart Dovecot service.

auth_mechanisms = CRAM-MD5

2: Generate CRAM-MD5 password with command 'doveadm pw', then reset my mail user password to this newly generated one. For example:

{CRAM-MD5}b239b858b2e0174497bb99adfd6b81c01b40b289d09f49d3d67c721c9fb88b12

3: In Thunderbird, i use 'Encrypted password' for "Authentication method" for both IMAP/SMTP. Sending email via SMTP over TLS and receiving email via IMAP over TLS are working as expected.

Hi - thanx a lot for your quick answer, first of all!

I tried to do what you wrote, but no success. It still states the same in the logs and the MUAs can't log in. Just for curiosity, how did you replace your password with that string? Using ldapmodify? or phpldapadmin, or iredadmin?

Also, even if I succeed in creating the correct password for CRAM-MD5 (and manage to replace the passwords in my exported LDIFs with ones created by 'doveadm pw') - will iRedAdminPro do the same when creating passwords for new users?

Thanks a lot in advance,

I updated the development edition of iRedAdmin-Pro moment ago, it's now able to generate and verify 'CRAM-MD5' password hash with command `doveadm pw`.

Would you like to give it a try? i can mail you patch for the latest iRedAdmin-Pro-LDAP-2.1.2.

OK - I got it working with Both PLAIN and CRAM-MD5 with the following modification: Letting dovecot handle the auth instead of delegating the authentication to letting LDAP bind the user.

The most important change was:
In dovecot-ldap.conf:

auth_bind       = no

which causes the dovecot-ldap plugin to do the auth itself, instead of delegating it to an LDAP-bind request.

Also, in addition to that, in dovecot.conf (as I want to support both LOGIN/PLAIN and CRAM-MD5):

auth_mechanisms = PLAIN LOGIN CRAM-MD5

Now the most interesting part:

• What can we use in userPassword

• Are multiple values of userPassword usable in this construct?

• Which values of userPassword work?

• How does postfix behave?

• How does iredadmin behave?

• How does roundcube behave?

• Which combinations work with which settings in the MUAs?

There are several combinations possible, as I found out. As you can imagine, they are a lot, and I tried a few.

To put the sum at the beginning:

Using the above "no" modification in dovecot-ldap.conf, and using a PLAIN password ONLY in userPassword (without the {PLAIN} before!) works fine with both LOGIN/PLAIN, CRAM-MD5 MUA setting and with all services (dovecot, postfix, iredadmin, roundcube).

Of course it is much nicer to have just hashed/crypted passwords stored in the database. Nicely enough, just putting the {CRAM-MD5} version generated by doveadm pw in the userPassword works fine with both LOGIN/PLAIN, CRAM-MD5 MUA settings (I used Apple Mail to test), but does not auth with iredadmin.

This is probably due to the fact that you use LDAP bind to authenticate to the interface, which does not understand/support the {CRAM-MD5} method. Also, it defeats any other LDAP binding should it be needed. So, bad idea, LDAP-wise.

So, to support LOGIN, PLAIN, CRAM-MD5 and some crypted LDAP bind method, we have to store two userPassword values. The CRAM-MD5 one generated by doveadm pw, and then a hashed one supported by LDAP.

I tried several combinations, and the one which ended up working with all (maybe there are others), is:

# password used for this test is "test"
doveadm pw -s CRAM-MD5 -> {CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
doveadm pw -s SSHA.b64 -> {SSHA.B64}Hs42O+jsTwzn97RMAUqqRW563Jqy4OGt

I took those two and put them into my LDIF file. Caution:
- The order is relevant for dovecot, postfix and co: CRAM-MD5 MUST be the first, because dovecot only uses the first when it finds more than one, from what I can see.
- The SSHA version must be generated with -s SSHA.b64, but only SSHA (without .b64) has to be put in the parenthesis:

userPassword: {CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
userPassword: {SSHA}Hs42O+jsTwzn97RMAUqqRW563Jqy4OGt

This variation seems to work with all items (the mail daemons, ldap and iredadmin).

So, after this research, it would be nice...:

if you, after testing/confirming that what I wrote works for you too (I might have missed something in all the tries...) could modify the code of iredadmin pro to be able to put those two correctly generated values in userPassword when saving.

Or at least, to be able to store the plain text (for some reason, STORE_PASSWORD_IN_PLAIN_TEXT = True did not seem to work in my settings.py? Which daemon do I have to restart to make it work?)

Thanx in advance - Your great support is a very good reason to stick to iRedMail!

Greetings,

Hi ZhangHuangbin,

Thanks for Your Feedback!

First, I apologize for the formatting of my post - all the questions in the list were not meant to you, they were actually a summary of the questions I posed to myself (and think solved) with my tries - so sorry for the time it took you to go through them

As for the answers:

It doesn't work  because it can't work: You can't derive one hash for a string from another hash. In this case, Dovecot can't derive the needed values for the CRAM-MD5 auth starting from an SSHA sum. With only a plain userPassword, of course it works because he can, but If you store only the SSHA userPassword and then choose CRAM-MD5 in the mail client, the client will fail to connect and dovecot will write in dovecot.log: "Requested CRAM-MD5 scheme, but we have only SSHA".

(See http://en.wikipedia.org/wiki/CRAM-MD5#Weaknesses - where Dovecot is mentioned. Helped me understand it, and also to understand how the heck they could store something hashed in the first place for a procedure that would otherwise need the plain password to proceed.).

I disagree: I think that you're doing well using the LDAP binding in iRedAdminPro! I really think that two userPassword values {CRAM-MD5} and {SSHA} are the best solution: Because it is only way to support CRAM-MD5 and have only crypted passwords in the database and keep the compatibility with all authentications that use LDAP bind (including iRedAdminPro). The latter is a very important aspect for me (and I think also for others who chose LDAP), because it means that other integrations based on LDAP binding remain possible.

I completely agree Please help me be able to do it by adding multiple values to userPassword (I can also try to walk through the code of iRedAdminPro and find out how to do it myself, but it would be great to keep upwards compatibility with your updates and not stay stuck with my modifications...)

Thanks a lot in Advance,

Lorenzo