Closed waldner closed 1 year ago
CRAM-MD5 is disabled because it is old and insecure. Use a local connection with PLAIN/LOGIN or Remote TLS connection.
If you can't and must use the insecure CRAM-MD5, try the following as plugin.
Save as _data_/_default_/plugins/login-cram/index.php
and enable in your ?admin#/packages
extensions area
<?php
class LoginCramPlugin extends \RainLoop\Plugins\AbstractPlugin
{
const
NAME = 'SASL CRAM',
VERSION = '1.0',
RELEASE = '2023-10-02',
REQUIRED = '2.21.0',
CATEGORY = 'Login',
DESCRIPTION = 'IMAP, Sieve & SMTP login using CRAM';
public function Init() : void
{
$this->addHook('imap.before-login', 'clientLogin');
$this->addHook('smtp.before-login', 'clientLogin');
$this->addHook('sieve.before-login', 'clientLogin');
}
public function clientLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void
{
\array_unshift($oSettings->SASLMechanisms, 'CRAM-MD5');
}
}
Thanks. The thing is, since the IMAP connection is not encrypted (it's over a VPN anyway), I didn't want to store dovecot password in plain text. Could you suggest a hashing scheme better than CRAM-MD5 that is supported both by dovecot and snappymail?
BTW, I'm still getting the same error after trying the extension you suggested. It shows up in the "packages" section and I can successfully enable it, but when testing the IMAP connection I get the same errors as before (both on screen and in the log).
Storing the password on the server is different then send the password. You could use blowfish or sodium on the server and still send the password in plain.
Sending in CRAM does not add security over the connection. SCRAM is better, but your VPN or TLS encryption is always better then CRAM and SCRAM.
I'm not concerned about on-the-wire security, as I said; my goal is to avoid storing passwords unencrypted on the dovecot server. Dovecot documentation makes it quite clear that to be able to store hashed password, you cannot use PLAIN or LOGIN on the wire. I made a quick test with SCRAM-SHA-1 and that makes snappymail happy, but then some older clients that only support CRAM-MD5 stop working. Dovecot does not (yet) allow multiple schemes for a given user, so without CRAM-MD5 support in snappymail I guess I will have to choose to either sacrifice compatibility with old clients or not use snappymail. Thanks.
EDIT: In fact after some investigation I discovered that dovecot supports multiple authentication databases (see https://doc.dovecot.org/configuration_manual/authentication/multiple_authentication_databases/), so I can use a database with CRAM-MD5 passwords for old clients and another with SCRAM-SHA-1 passwords for snappymail and newer clients. It involves some amout of duplicated entries, but it's manageable since there are not a lot of users. I tested this and it works. Closing the issue, thanks.
You're welcome.
But i will clarify something: You can encrypt passwords in Dovecot using Blowfish or Sodium (best security on the server). Then only allow TLS connections to the server (encryption). Remote clients then use PLAIN or LOGIN (insecure, but TLS or VPN solves that for you). Local clients (127.0.0.1) can also use PLAIN
I guess it boils down to my laziness and the relative complications (and relatively low need) of setting up TLS for a server that is accessed by some clients using the IP address directly and by others using a hostname in a private domain (everyting over VPN). In any case, thanks for the information.
PS Now that dovecot advertises both CRAM-MD5 and SCRAM-SHA-1, I noticed that I still need to have the cram extension above enabled, otherwise clients are not able to login from snappymail. If I leave it enabled, everything is fine. Just FYI.
OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=CRAM-MD5] Dovecot (Debian) ready.
Describe the bug
When testing connection to a dovecot server without TLS, I get this error:
To Reproduce Steps to reproduce the behavior:
Expected behavior
Authentication should succeed.
Please complete the following information:
Debug/logging information
On the dovecot side, not much info: