# Courier-imap : authentication works with similar password

## Daivil

Hi everybody,

I'm having a very strange behaviour with courier-imap/authlib authentication process.

I'm using mysql database for storing accounts credentials. In database, password are encrypted using ENCRYPT() embedded function.

The problem is a same account logs-in successfully with many "similar" password.

Example : if password in database is example2010. Log-in works with : example, example2, example9999 but does NOT work with exampl.

Here is my authmysqlrc :

 *Quote:*   

> MYSQL_SERVER        localhost
> 
> MYSQL_USERNAME        postfix
> 
> MYSQL_PASSWORD        password
> ...

 

And my authdaemonrc :

 *Quote:*   

> authmodulelist="authmysql "
> 
> authmodulelistorig="authuserdb authpam authshadow authmysql authcustom authpipe"
> 
> daemons=25
> ...

 

Login logs with real password :

 *Quote:*   

> Oct 18 10:24:46 nx3115 imapd: Connection, ip=[127.0.0.1]
> 
> Oct 18 10:24:46 nx3115 authdaemond: received auth request, service=imap, authtype=login
> 
> Oct 18 10:24:46 nx3115 authdaemond: authmysql: trying this module
> ...

 

Login logs with similar password :

 *Quote:*   

> Oct 18 10:32:24 nx3115 imapd: Connection, ip=[127.0.0.1]
> 
> Oct 18 10:32:24 nx3115 authdaemond: received auth request, service=imap, authtype=login
> 
> Oct 18 10:32:24 nx3115 authdaemond: authmysql: trying this module
> ...

 

Any idea?

Thanks for you help !

----------

## Anarcho

From the website: http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_encrypt

 *Quote:*   

> ENCRYPT() ignores all but the first eight characters of str, at least on some systems. This behavior is determined by the implementation of the underlying crypt()  system call.

 

----------

## Daivil

Omg...

What do you suggest then? Using anything else but ENCRYPT for passwords?

----------

## Anarcho

I use SHA1 hashes in the crypted field, the value looks like "{SHA}....." where the ... is the base64 string of the SHA1 hash of the password.

I've written a little webinterface for my mysql tables which are in use by postfix, courier and pure-ftpd (and a small patch for pure-ftpd to work with SHA1).

----------

