imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
Hey All,

I'm moving from Plesk to cPanel and both server use Courier-IMAP but I'm running into an authentication problem.

The old server(Plesk) offers these methods:
Code:
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 
AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. 
Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
The new server(cPanel) offers these methods:
Code:
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN 
ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 are missing from the new cPanel server. I'm moving over 100+ email accounts and most of the devices connected to the server use MD5 Challenge Response for authentication.

Does anyone have any ideas on how to fix this or enabled CRAM Methods?

Thanks,
Justin
 

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
575
21
143
cPanel Access Level
Root Administrator
Twitter
Hello,

CRAM-MD5 authentication allows IMAP clients to authenticate themselves without sending the password in clear-text over the network. Courier-IMAP now supports CRAM-MD5 by default, but is not enabled for reasons explained below. CRAM-MD5 support is implemented by the authcram module, with one exception - authldap, authpgsql, and authmysql support CRAM-MD5 authentication if the LDAP or the MySQL/PostgreSQL server stores clear-text passwords, and not crypt-ed passwords.

To use CRAM-MD5 it is necessary to use an IMAP client that support CRAM-MD5 authentication, of course. That's the easy part.

The problem is that it is not possible to use the system password when logging in using CRAM-MD5. That's because CRAM-MD5 requires the knowledge of the actual password, in the clear, in order to calculate authentication tokens (even though that the password itself is not sent in the clear over the network).

So, implementation of CRAM-MD5 is an advanced task that should be attempted only when you are comfortable with, and fully understand how Courier-IMAP works in general.

Steps to enable CRAM-MD5 and other authorization methods:

1) backup the /usr/lib/courier-imap/etc/imapd file
2) edit the /usr/lib/courier-imap/etc/imapd file and find:

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" line

Add the authentication methods you want to support to this line. Example:

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

Save the file and restart courier-imap services with /scripts/restartsrv_imap

That should do the trick.
 

imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
Hey Peter,

Thanks for that. I added the lines to the Capability and now webmail and mail both get failed logins.

Restarted imap. Verified CRAM-MD5 was showing in the capability list.

Code:
Dec 26 15:59:45 metal imapd: Connection, ip=[::1]
Dec 26 15:59:45 metal imapd: LOGIN FAILED, method=CRAM-MD5, ip=[::1]
Dec 26 15:59:50 metal imapd: Disconnected, ip=[::1], time=5
Code:
Dec 26 16:03:47 metal imapd: Connection, ip=[::ffff:50.130.8.25]
Dec 26 16:03:47 metal imapd-ssl: Connection, ip=[::ffff:50.130.8.25]
Dec 26 16:03:48 metal imapd-ssl: LOGIN FAILED, method=CRAM-MD5, ip=[::ffff:50.130.8.25]
I tried resetting the password in the panel again just to make sure.

Any other ideas?
 

imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
More debugging information:
Code:
Dec 27 15:39:32 metal authdaemond: modules="authpipe", daemons=3
Dec 27 15:39:32 metal authdaemond: Installing libauthpipe
Dec 27 15:39:32 metal authdaemond: Installation complete: authpipe
Dec 27 15:39:48 metal imapd: Connection, ip=[::1]
Dec 27 15:39:48 metal imapd: LOGIN: ip=[::1], command=AUTHENTICATE
Dec 27 15:39:48 metal authdaemond: received auth request, service=imap, authtype=cram-md5
Dec 27 15:39:48 metal authdaemond: authpipe: trying this module
Dec 27 15:39:48 metal authdaemond: closing pipe
Dec 27 15:39:48 metal authdaemond: forking new one
Dec 27 15:39:48 metal authdaemond: attempting to fork
Dec 27 15:39:48 metal authdaemond: Pipe auth. started Pipe-program (pid 28380)
Dec 27 15:39:48 metal authdaemond: new pipe has in: 8, out: 7
Dec 27 15:39:48 metal authdaemond: executing /etc/authlib/authProg
Dec 27 15:39:48 metal authdaemond: authpipe: REJECT - try next module
Dec 27 15:39:48 metal authdaemond: FAIL, all modules rejected
Dec 27 15:39:48 metal imapd: LOGIN FAILED, method=CRAM-MD5, ip=[::1]
Dec 27 15:39:53 metal imapd: Disconnected, ip=[::1], time=5
It looks like the authProg (/usr/local/cpanel/bin/courier-auth) is not built to handle CRAM-MD5. cPanel, can you confirm this?

Thanks,
Justin
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
All,

I developed a solution with Hooks and the authuserdb lib. I also got Exim to work with the same userdb with the help of Exim IRC channel and Exim Wiki.

I will post my solution at a later point.
Thank you for updating this thread with the outcome. We look forward to the posted solution.