This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 1 and 12 (spanning 11 versions)
Revision 1 as of 2006-04-08 18:52:30
Size: 1323
Editor: RobMcGee
Comment:
Revision 12 as of 2016-05-03 13:51:47
Size: 2898
Editor: adsl-ull-47-109
Comment: endoding base64 with python
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## Please edit system and help pages ONLY in the moinmaster wiki! For more
## information, please see MoinMaster:MoinPagesEditorGroup.
##master-page:Troubleshooting
##master-date:Unknown-Date
##acl MoinPagesEditorGroup:read,write,delete,revert All:read
#format wiki
#language en
== Debugging Authentication ==
Numerous settings in dovecot.conf can assist in debugging authentication failures. These are described in the comments in the dovecot-example.conf file that is provided with the source distribution.
## page was renamed from DebuggingAuthentication
= Debugging Authentication =
Line 11: Line 4:
In addition it might be useful to know how to construct and to decode a PLAIN mechanism string. printf(1) and mmencode(1) should be available in most Unix or GNU/Linux systems. (If not, check with your distribution. GNU coreutils includes printf(1), and metamail includes mmencode(1).) The most important thing to do is to set {{{auth_debug=yes}}}, and preferrably also {{{auth_debug_passwords=yes}}}. After that you'll see in the logs exactly what dovecot-auth is doing, and that should help you to fix the problem.
Line 13: Line 6:
=== Example authentication string encoding === == PLAIN SASL mechanism ==

With IMAP and POP3 it's easy to log in manually using the IMAP's LOGIN command or POP3's USER and PASS commands (see TestInstallation and TestPop3Installation for details), but with SMTP AUTH you'll need to use PLAIN authentication mechanism, which requires you to build a base64-encoded string in the correct format. The PLAIN authentication is also used internally by both IMAP and POP3 to authenticate to dovecot-auth, so you see it in the debug logs.

The PLAIN mechanism's authentication format is: <authorization ID> NUL <authentication ID> NUL <password>. Authorization ID is the username who you want to log in as, and authentication ID is the username whose password you're giving. If you're not planning on doing a [[Authentication/MasterUsers|master user login]], you can either set both of these fields to the same username, or leave the authorization ID empty.

=== Encoding with mmencode ===
printf(1) and mmencode(1) should be available on most Unix or GNU/Linux systems. (If not, check with your distribution. GNU coreutils includes printf(1), and metamail includes mmencode(1). In Debian, mmencode is called mimencode(1).)
Line 19: Line 20:
This string is what a client would use to attempt PLAIN authentication as user "username" with password "password." With verbose logging, specifically with ''auth_debug_passwords = yes'', it would appear in your logs. This string is what a client would use to attempt PLAIN authentication as user "username" with password "password." With `'auth_debug_passwords=yes`, it would appear in your logs.
Line 21: Line 22:
=== Example authentication string decoding === === Decoding with mmencode ===

You can use mmencode -u to interpret the encoded string pasted into stdin as follows:
Line 23: Line 26:
$ echo "FIXME: I don't know how to do this."
FIXME: I don't know how to do this.
}}}
# mmencode -u
bXl1c2VybmFtZUBkb21haW4udGxkAG15dXNlcm5hbWVAZG9tYWluLnRsZABteXBhc3N3b3Jk<CR>
myusername@domain.tldmyusername@domain.tldmypassword<CTRL-D>
#
}}}
You should see the correct user address (twice) and password. The null bytes won't display.

=== Encoding with Perl ===
Unfortunately, mmencode on FreeBSD chokes on "\0". As an alternate, if you have MIME::Base64 on your system, you can use a perl statement to do the same thing:
{{{
perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");'
}}}
As mmencode -u doesn't encounter any "\0" you can still do:
{{{
perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");' | mmencode -u
}}}
to check that you have encoded correctly.


=== Encoding with Python ===

With python you can do:
{{{
python -c "import base64; print(base64.encodestring('myusername@domain.tld\0myusername@domain.tld\0mypassword'));"
}}}

Debugging Authentication

The most important thing to do is to set auth_debug=yes, and preferrably also auth_debug_passwords=yes. After that you'll see in the logs exactly what dovecot-auth is doing, and that should help you to fix the problem.

PLAIN SASL mechanism

With IMAP and POP3 it's easy to log in manually using the IMAP's LOGIN command or POP3's USER and PASS commands (see TestInstallation and TestPop3Installation for details), but with SMTP AUTH you'll need to use PLAIN authentication mechanism, which requires you to build a base64-encoded string in the correct format. The PLAIN authentication is also used internally by both IMAP and POP3 to authenticate to dovecot-auth, so you see it in the debug logs.

The PLAIN mechanism's authentication format is: <authorization ID> NUL <authentication ID> NUL <password>. Authorization ID is the username who you want to log in as, and authentication ID is the username whose password you're giving. If you're not planning on doing a master user login, you can either set both of these fields to the same username, or leave the authorization ID empty.

Encoding with mmencode

printf(1) and mmencode(1) should be available on most Unix or GNU/Linux systems. (If not, check with your distribution. GNU coreutils includes printf(1), and metamail includes mmencode(1). In Debian, mmencode is called mimencode(1).)

$ printf 'username\0username\0password' | mmencode
dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

This string is what a client would use to attempt PLAIN authentication as user "username" with password "password." With 'auth_debug_passwords=yes, it would appear in your logs.

Decoding with mmencode

You can use mmencode -u to interpret the encoded string pasted into stdin as follows:

# mmencode -u
bXl1c2VybmFtZUBkb21haW4udGxkAG15dXNlcm5hbWVAZG9tYWluLnRsZABteXBhc3N3b3Jk<CR>
myusername@domain.tldmyusername@domain.tldmypassword<CTRL-D>
#

You should see the correct user address (twice) and password. The null bytes won't display.

Encoding with Perl

Unfortunately, mmencode on FreeBSD chokes on "\0". As an alternate, if you have MIME::Base64 on your system, you can use a perl statement to do the same thing:

perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");'

As mmencode -u doesn't encounter any "\0" you can still do:

perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.tld\0myusername\@domain.tld\0mypassword");' | mmencode -u

to check that you have encoded correctly.

Encoding with Python

With python you can do:

python -c "import base64; print(base64.encodestring('myusername@domain.tld\0myusername@domain.tld\0mypassword'));"

None: Debugging/Authentication (last edited 2021-07-07 23:38:27 by MichaelSlusarz)