search

the-djmaze / snappymail

Simple, modern & fast web-based email client
https://snappymail.eu
GNU Affero General Public License v3.0
1.01k stars 121 forks source link

Cannot connect to dovecot #1257

Closed waldner closed 1 year ago

waldner commented 1 year ago

Describe the bug

When testing connection to a dovecot server without TLS, I get this error:

No supported SASL mechanism found, remote server wants: AUTH=CRAM-MD5

To Reproduce Steps to reproduce the behavior:

  1. Go to 'domains'
  2. Configure a domain for IMAP with "secure" -> none, "port" -> 143
  3. Click on "test"
  4. Input correct credentials
  5. See error

Expected behavior

Authentication should succeed.

Please complete the following information:

Debug/logging information

[2023-09-28 16:22:52.556][7c43237e] [ERROR]: MailSo\RuntimeException: No supported SASL mechanism found, remote server wants: AUTH=CRAM-MD5 in /snappymail/snappymail/v/2.28.4/app/libraries/MailSo/Imap/ImapClient.php:146
Stack trace:
#0 /snappymail/snappymail/v/2.28.4/app/libraries/RainLoop/Actions/AdminDomains.php(103): MailSo\Imap\ImapClient->Login(Object(MailSo\Imap\Settings))
#1 /snappymail/snappymail/v/2.28.4/app/libraries/RainLoop/ServiceActions.php(142): RainLoop\ActionsAdmin->DoAdminDomainTest()
#2 /snappymail/snappymail/v/2.28.4/app/libraries/RainLoop/Service.php(132): RainLoop\ServiceActions->ServiceJson('')
#3 /snappymail/snappymail/v/2.28.4/app/libraries/RainLoop/Service.php(14): RainLoop\Service::RunResult()
#4 /snappymail/snappymail/v/2.28.4/include.php(143): RainLoop\Service::Handle()
#5 /snappymail/index.php(11): include('/snappymail/sna...')
#6 {main}

On the dovecot side, not much info:

DOVECOT: Sep 28 18:26:35 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.10.10.4, lip=172.18.0.2, session=<XzCNxW0GnqIKCgoE>
the-djmaze commented 1 year ago

CRAM-MD5 is disabled because it is old and insecure. Use a local connection with PLAIN/LOGIN or Remote TLS connection.

If you can't and must use the insecure CRAM-MD5, try the following as plugin. Save as _data_/_default_/plugins/login-cram/index.php and enable in your ?admin#/packages extensions area

<?php

class LoginCramPlugin extends \RainLoop\Plugins\AbstractPlugin
{
    const
        NAME     = 'SASL CRAM',
        VERSION  = '1.0',
        RELEASE  = '2023-10-02',
        REQUIRED = '2.21.0',
        CATEGORY = 'Login',
        DESCRIPTION = 'IMAP, Sieve & SMTP login using CRAM';

    public function Init() : void
    {
        $this->addHook('imap.before-login', 'clientLogin');
        $this->addHook('smtp.before-login', 'clientLogin');
        $this->addHook('sieve.before-login', 'clientLogin');
    }

    public function clientLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void
    {
        \array_unshift($oSettings->SASLMechanisms, 'CRAM-MD5');
    }
}
waldner commented 1 year ago

Thanks. The thing is, since the IMAP connection is not encrypted (it's over a VPN anyway), I didn't want to store dovecot password in plain text. Could you suggest a hashing scheme better than CRAM-MD5 that is supported both by dovecot and snappymail?

BTW, I'm still getting the same error after trying the extension you suggested. It shows up in the "packages" section and I can successfully enable it, but when testing the IMAP connection I get the same errors as before (both on screen and in the log).

the-djmaze commented 1 year ago

Storing the password on the server is different then send the password. You could use blowfish or sodium on the server and still send the password in plain.

Sending in CRAM does not add security over the connection. SCRAM is better, but your VPN or TLS encryption is always better then CRAM and SCRAM.

waldner commented 1 year ago

I'm not concerned about on-the-wire security, as I said; my goal is to avoid storing passwords unencrypted on the dovecot server. Dovecot documentation makes it quite clear that to be able to store hashed password, you cannot use PLAIN or LOGIN on the wire. I made a quick test with SCRAM-SHA-1 and that makes snappymail happy, but then some older clients that only support CRAM-MD5 stop working. Dovecot does not (yet) allow multiple schemes for a given user, so without CRAM-MD5 support in snappymail I guess I will have to choose to either sacrifice compatibility with old clients or not use snappymail. Thanks.

EDIT: In fact after some investigation I discovered that dovecot supports multiple authentication databases (see https://doc.dovecot.org/configuration_manual/authentication/multiple_authentication_databases/), so I can use a database with CRAM-MD5 passwords for old clients and another with SCRAM-SHA-1 passwords for snappymail and newer clients. It involves some amout of duplicated entries, but it's manageable since there are not a lot of users. I tested this and it works. Closing the issue, thanks.

the-djmaze commented 1 year ago

You're welcome.

But i will clarify something: You can encrypt passwords in Dovecot using Blowfish or Sodium (best security on the server). Then only allow TLS connections to the server (encryption). Remote clients then use PLAIN or LOGIN (insecure, but TLS or VPN solves that for you). Local clients (127.0.0.1) can also use PLAIN

waldner commented 1 year ago

I guess it boils down to my laziness and the relative complications (and relatively low need) of setting up TLS for a server that is accessed by some clients using the IP address directly and by others using a hostname in a private domain (everyting over VPN). In any case, thanks for the information.

PS Now that dovecot advertises both CRAM-MD5 and SCRAM-SHA-1, I noticed that I still need to have the cram extension above enabled, otherwise clients are not able to login from snappymail. If I leave it enabled, everything is fine. Just FYI.

OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=CRAM-MD5] Dovecot (Debian) ready.