# CRAM-MD5 login error

## Frautoincnam

Hello,

Suddenly, certainly following an update, the roundcube identification no longer works.

I checked, nothing has been modified in the configuration of rouncube, nor of dovecot.

On the other hand, I know that /etc/login.defs has recently changed, but I don't know if that affects.

```
# diff -u /tmp/bacula-restores/etc/login.defs /etc/login.defs 

--- /tmp/bacula-restores/etc/login.defs 2020-11-06 11:41:20.000000000 -0400

+++ /etc/login.defs     2021-05-21 13:13:49.059515553 -0400

@@ -209,12 +209,17 @@

 # Default initial "umask" value used by login(1) on non-PAM enabled systems.

 # Default "umask" value for pam_umask(8) on PAM enabled systems.

 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new

-# home directories.

+# home directories if HOME_MODE is not set.

 # 022 is the default value, but 027, or even 077, could be considered

 # for increased privacy. There is no One True Answer here: each sysadmin

 # must make up their mind.

 UMASK          022

 

+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new

+# home directories.

+# If HOME_MODE is not set, the value of UMASK is used to create the mode.

+#HOME_MODE     0700

+

 #

 # Password aging controls:

 #

@@ -348,7 +353,6 @@

 # the PAM modules configuration.

 #

 #ENCRYPT_METHOD DES

-ENCRYPT_METHOD SHA512

 

 #

 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
```

But even with ENCRYPT_METHOD SHA512 it is the same.

Do I have to restart something to take into account the modifications ?

The error I got is related to CRAM-MD5.

roundcube error :

```
[21-May-2021 10:57:31 -0400]: <47hctpjq> IMAP Error: Login failed for chris against localhost from 192.168.5.3. AUTHENTICATE CRAM-MD5: A0002 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/localhost/htdocs/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /webmail/?_task=login&_action=login)
```

roundcube imap log :

```
[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] Connecting to localhost:143...

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRA

LS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=CRAM-MD5 AUTH=LOGIN] Dovecot ready.

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: A0001 ID ("name" "Roundcube" "version" "1.4.11" 

"php" "7.4.19" "os" "Linux" "command" "/webmail/?_task=login")

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: * ID ("name" "Dovecot")

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: A0001 OK ID completed.

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: A0002 AUTHENTICATE CRAM-MD5

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] S: + PDM2MTA1ODI4NjcxMTY5NTkuMTYyMTYwOTA0OUB2bXNlcn

ZldXI+

[21-May-2021 10:57:29 -0400]: <47hctpjq> [2B62] C: ****** [50]

[21-May-2021 10:57:31 -0400]: <47hctpjq> [2B62] S: A0002 NO [AUTHENTICATIONFAILED] Authentication failed.
```

dovecot corresponding error :

```
May 21 10:57:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<chris>, method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured, session=<XMJaR9jCvJF/AAAB>
```

My dovecot conf if needed :

```
# dovecot -n

# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf

# OS: Linux 5.10.27-gentoo x86_64 Gentoo Base System release 2.7 ext4

# Hostname: vmserveur.novazur.fr

auth_mechanisms = plain cram-md5 login

auth_username_format = %n

auth_verbose_passwords = sha1:12

disable_plaintext_auth = no

info_log_path = /var/log/dovecot_info.log

listen = *

log_path = /var/log/dovecot.log

mail_location = maildir:/var/spool/mail/%n

mail_privileged_group = mail

namespace inbox {

  inbox = yes

  location = 

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix = 

}

passdb {

  args = *

  driver = pam

}

passdb {

  args = /etc/dovecot/dovecot-ldap.conf.ext

  driver = ldap

}

protocols = imap pop3

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}

ssl_cert = </etc/ssl/dovecot/server.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

userdb {

  driver = passwd

}

userdb {

  args = /etc/dovecot/dovecot-ldap.conf.ext

  driver = ldap

}
```

If I modify roundcube config $config['imap_auth_type'] from null (default) to 'PLAIN'. It works.

But i'd like to know what changed, and why it doesn't work anymore without modifying default rouncube option.

I tried to use gnome-evolution with imap and CRAM-MD5 and it failed too. So that's NOT a roundcube problem. There is a issue somewhere else. PAM issue ?

[Edit]

possible that 

```
service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

}
```

where added recently to dovecot. Can this have a connection?

However with default config :

```
 #unix_listener /var/spool/postfix/private/auth {

 #  mode = 0666

 #}
```

It's not better.

----------

## alamahant

Hi can you plz post the output of

```

grep -ir cram /etc/dovecot

```

Where do you store the passwords?

My guess is that dispatch-conf overwrote your modified config

Either

```

/etc/dovecot/conf.d/10-auth.conf   ####OR

/etc/dovecot/conf.d/auth-passwdfile.conf.ext

```

Lets see....

----------

## Frautoincnam

 *alamahant wrote:*   

> Hi can you plz post the output of
> 
> ```
> 
> grep -ir cram /etc/dovecot
> ...

 

```
# grep -ir cram /etc/dovecot 

/etc/dovecot/conf.d/10-auth.conf:#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp

/etc/dovecot/conf.d/10-auth.conf:auth_mechanisms = plain cram-md5 login
```

 *Quote:*   

> My guess is that dispatch-conf overwrote your modified config

 

I don't think so, but i could be wrong

 *Quote:*   

> Either
> 
> ```
> 
> /etc/dovecot/conf.d/10-auth.conf   ####OR
> ...

 

If you want, but I already gave my dovecot conf

```
10-auth.conf

disable_plaintext_auth = no

auth_username_format = %n

auth_mechanisms = plain cram-md5 login

!include auth-system.conf.ext

!include auth-sql.conf.ext

!include auth-ldap.conf.ext
```

```
auth-passwdfile.conf.ext 

passdb {

  driver = passwd-file

  args = scheme=CRYPT username_format=%u /etc/dovecot/users

}

userdb {

  driver = passwd-file

  args = username_format=%u /etc/dovecot/users

}
```

----------

## alamahant

 *Quote:*   

> 
> 
> etc/dovecot/conf.d/10-auth.conf:#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
> 
> /etc/dovecot/conf.d/10-auth.conf:auth_mechanisms = plain cram-md5 login
> ...

 

Please put cram-md5 in the BEGINNING of the lists...

Also in dovecot.conf

Where do you store the passwords?

----------

## Frautoincnam

As indicated in my dovecot conf (original post), files and ldap

```
# grep "^passwd" /etc/nsswitch.conf 

passwd:     files ldap
```

----------

## alamahant

ldap does not understand cram-md5 easilly

best use a user file for dovecot

If needed regenerate passwords with

doveadm pw -s cram-md5

----------

## Frautoincnam

But I WANT/NEED to use ldap. I don't want to replace it with a simple file.

It works like that for 20 years !

I admit that I have to not use CRAM-MD5 with LDAP.

But, what I'd like to understand is :

what changed recently to not working anymore without changing anything in my dovecot conf ?

sys-apps/shadow-4.8.1-r3 update on Sun May 16 ?

----------

## alamahant

Somewhere you have to store the cram-md5 passwords for email accounts

Do the email accounts belong to linux users, ldap users or they are external?

This is what i am asking you.

In my case i have a file with this format

```

user@domain:{CRAM-MD5}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

```

Dovecot needs this.

Also please insert cram-md5 first in the auth mechanisms list

----------

## Frautoincnam

 *alamahant wrote:*   

> Somewhere you have to store the cram-md5 passwords for email accounts
> 
> This is what i am asking you.

 

But I don't want identifers twice.

I WANT to use LDAP.

I prefer to use roundcube option 'PLAIN' than not to use LDAP.

 *Quote:*   

> Also please insert cram-md5 first in the auth mechanisms list

 

Tried unsuccessful

But all this doesn't answer my questions.

It does not matter. Drop it.

thank you for your help

----------

