doveadm pw may generate invalid password if a special charactare is used

Question

I have a dovecot server running on an Ubuntu 14.04 server, which reads the login-data (user/domain/password) from a mysql-database.

The passwords are saved as salted SHA256 hashes. To generate these, I use the command doveadm pw -s SHA512-CRYPT. According to Dovecot wiki Authentication PasswordSchemes page, the command uses glibcs crypt() function.

Now, when I use a password without special characters (Uppercase/Lowercase letters and numbers) like "t3st", I can successfully login to the according mail-account. But as soon as the password contains any other characters (e.g. t3$t), I can't login anymore. doveadm will in both cases return seemingly valid hashes (e.g. $6$iADbo7odiTlVjYgl$fi0X/kIHSUmAHAAiHIsXU6ow3j9dshL9mX.VTCDFOBMt.aV/.ZWpadLk3AFPD30EZ7SiyaqAR66YlTPoeQrcH/).

I tried logging in to the server via Thunderbird and an web-based mail-interface, with both giving the same error-message in the log-files:

dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs) ...

I also tried using the MD5-CRYPT "encryption", with the same results.

Do you really use version 1? You are linking the wiki for that version... — sebix, Jun 09 '15 at 10:33

score 2 · Answer 1 · answered Feb 22 '17 at 03:19

2

The doveadm pw documentation contains the following information:

"You should enclose the password hash in single quotes, if it contains one or more dollar signs ($)."

answered Feb 22 '17 at 03:19

Miguel Medalha

21
2

score 1 · Answer 2 · answered Jun 10 '15 at 09:11

1

You could try adding

auth_debug = yes
auth_debug_passwords = yes
auth_verbose_passwords = yes

to your Dovecot configuration. Thus you will see what passwords dovecot actually receives from the clients and compares from passdb.

answered Jun 10 '15 at 09:11

thuovila

121
3

doveadm pw may generate invalid password if a special charactare is used

2 Answers2