The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Courier CRAM-MD5?

Discussion in 'E-mail Discussions' started by imageinabox, Dec 26, 2013.

  1. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey All,

    I'm moving from Plesk to cPanel and both server use Courier-IMAP but I'm running into an authentication problem.

    The old server(Plesk) offers these methods:
    Code:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 
    AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. 
    Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
    The new server(cPanel) offers these methods:
    Code:
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN 
    ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
    AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 are missing from the new cPanel server. I'm moving over 100+ email accounts and most of the devices connected to the server use MD5 Challenge Response for authentication.

    Does anyone have any ideas on how to fix this or enabled CRAM Methods?

    Thanks,
    Justin
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    CRAM-MD5 authentication allows IMAP clients to authenticate themselves without sending the password in clear-text over the network. Courier-IMAP now supports CRAM-MD5 by default, but is not enabled for reasons explained below. CRAM-MD5 support is implemented by the authcram module, with one exception - authldap, authpgsql, and authmysql support CRAM-MD5 authentication if the LDAP or the MySQL/PostgreSQL server stores clear-text passwords, and not crypt-ed passwords.

    To use CRAM-MD5 it is necessary to use an IMAP client that support CRAM-MD5 authentication, of course. That's the easy part.

    The problem is that it is not possible to use the system password when logging in using CRAM-MD5. That's because CRAM-MD5 requires the knowledge of the actual password, in the clear, in order to calculate authentication tokens (even though that the password itself is not sent in the clear over the network).

    So, implementation of CRAM-MD5 is an advanced task that should be attempted only when you are comfortable with, and fully understand how Courier-IMAP works in general.

    Steps to enable CRAM-MD5 and other authorization methods:

    1) backup the /usr/lib/courier-imap/etc/imapd file
    2) edit the /usr/lib/courier-imap/etc/imapd file and find:

    IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" line

    Add the authentication methods you want to support to this line. Example:

    IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

    Save the file and restart courier-imap services with /scripts/restartsrv_imap

    That should do the trick.
     
  3. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey Peter,

    Thanks for that. I added the lines to the Capability and now webmail and mail both get failed logins.

    Restarted imap. Verified CRAM-MD5 was showing in the capability list.

    Code:
    Dec 26 15:59:45 metal imapd: Connection, ip=[::1]
    Dec 26 15:59:45 metal imapd: LOGIN FAILED, method=CRAM-MD5, ip=[::1]
    Dec 26 15:59:50 metal imapd: Disconnected, ip=[::1], time=5
    Code:
    Dec 26 16:03:47 metal imapd: Connection, ip=[::ffff:50.130.8.25]
    Dec 26 16:03:47 metal imapd-ssl: Connection, ip=[::ffff:50.130.8.25]
    Dec 26 16:03:48 metal imapd-ssl: LOGIN FAILED, method=CRAM-MD5, ip=[::ffff:50.130.8.25]
    I tried resetting the password in the panel again just to make sure.

    Any other ideas?
     
  4. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    In case you need this information:
    • cPanel Version: 11.40.1.8
    • Exim Version: 4.82-2
     
  5. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    More debugging information:
    Code:
    Dec 27 15:39:32 metal authdaemond: modules="authpipe", daemons=3
    Dec 27 15:39:32 metal authdaemond: Installing libauthpipe
    Dec 27 15:39:32 metal authdaemond: Installation complete: authpipe
    Dec 27 15:39:48 metal imapd: Connection, ip=[::1]
    Dec 27 15:39:48 metal imapd: LOGIN: ip=[::1], command=AUTHENTICATE
    Dec 27 15:39:48 metal authdaemond: received auth request, service=imap, authtype=cram-md5
    Dec 27 15:39:48 metal authdaemond: authpipe: trying this module
    Dec 27 15:39:48 metal authdaemond: closing pipe
    Dec 27 15:39:48 metal authdaemond: forking new one
    Dec 27 15:39:48 metal authdaemond: attempting to fork
    Dec 27 15:39:48 metal authdaemond: Pipe auth. started Pipe-program (pid 28380)
    Dec 27 15:39:48 metal authdaemond: new pipe has in: 8, out: 7
    Dec 27 15:39:48 metal authdaemond: executing /etc/authlib/authProg
    Dec 27 15:39:48 metal authdaemond: authpipe: REJECT - try next module
    Dec 27 15:39:48 metal authdaemond: FAIL, all modules rejected
    Dec 27 15:39:48 metal imapd: LOGIN FAILED, method=CRAM-MD5, ip=[::1]
    Dec 27 15:39:53 metal imapd: Disconnected, ip=[::1], time=5
    
    It looks like the authProg (/usr/local/cpanel/bin/courier-auth) is not built to handle CRAM-MD5. cPanel, can you confirm this?

    Thanks,
    Justin
     
  6. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    All,

    I developed a solution with Hooks and the authuserdb lib. I also got Exim to work with the same userdb with the help of Exim IRC channel and Exim Wiki.

    I will post my solution at a later point.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Thank you for updating this thread with the outcome. We look forward to the posted solution.
     
Loading...

Share This Page