SASL登录认证失败:UGFzc3dvcmQ6

CentOS6.6, Postfix, dovecot 2.0.9和MySQL 5.1.73

鸽巢配置(/etc/dovecot/dovecot-sql.conf.ext):

driver = mysql    
connect = host=127.0.0.1 dbname=postfix user=root password=lingo
default_pass_scheme = SHA512
password_query = SELECT email as user, password FROM virtual_user WHERE email='%u';

MySQL数据库:

mysql> SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
+--------------------------+------------------------------------------------------------------------------------------------------------+
| user                     | password                                                                                                   |
+--------------------------+------------------------------------------------------------------------------------------------------------+
| lingo.lin1@example.com | 0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c |
+--------------------------+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

密码由commons-codec生成，Java代码:

System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
//print :0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

现在我写了一些java代码来验证:

public static void sendEmail() throws EmailException, GeneralSecurityException {
        SimpleEmail email = new SimpleEmail();
        // smtp host
        email.setHostName("192.168.15.139");
        email.setSmtpPort(25);
        email.setDebug(true);
        // DigestUtils.sha512Hex("lingo".getBytes())
        email.setAuthentication("lingo.lin1@example.com", "lingo");
        email.setStartTLSEnabled(true);
        MailSSLSocketFactory socketFactory = new MailSSLSocketFactory();
        socketFactory.setTrustAllHosts(true);
        Properties propsSSL = email.getMailSession().getProperties();
        propsSSL.put("mail.smtp.port", "465");
        propsSSL.put("mail.smtp.ssl.checkserveridentity", "false");
        propsSSL.put("mail.smtp.ssl.socketFactory", socketFactory);
        email.addTo("lingo.lin@qamail.rimanggis.com", "John Doe");
        email.setFrom("lingo.lin@radicasys.com", "Me");
        email.setSubject("Test message");
        email.setMsg("This is a simple test of commons-email");
        email.send();
        System.out.println("success");
    }
    public static void main(String[] args) throws Exception {
        SendEmailTest.sendEmail();
        // System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
    }

但是失败了，出现以下错误:

Sep 12 13:30:51 localhost dovecot: auth: Debug: sql(lingo.lin1@radicasys.com,192.168.15.243): query: SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
Sep 12 13:30:51 localhost dovecot: auth: Error: sql(lingo.lin1@radicasys.com,192.168.15.243): Password in passdb is not in expected scheme SHA512
Sep 12 13:30:53 localhost postfix/smtpd[1872]: warning: unknown[192.168.15.243]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 12 13:30:53 localhost dovecot: auth: Debug: client out: FAIL#0115#011user=lingo.lin1@radicasys.com
Sep 12 13:30:53 localhost postfix/smtpd[1872]: lost connection after AUTH from unknown[192.168.15.243]
Sep 12 13:30:53 localhost postfix/smtpd[1872]: disconnect from unknown[192.168.15.243]

如何修复认证?

这是一个鸽巢配置问题。Dovecot知道两种散列编码，"传统"十六进制编码(即。SHA512.HEX)和base64编码(即。SHA512.b64)。后者在作为字符串存储时更节省空间，并且在Dovecot中是默认的。使用sha512、sha512.b64和sha512.hex编码生成哈希的示例:

$ doveadm pw -p lingo -s sha512
{SHA512}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.b64
{SHA512.b64}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.hex
{SHA512.HEX}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c802fb97e83c893c28d8614

如果在Java中创建十六进制编码的密码哈希，请使用default_pass_scheme = SHA512.HEX。更好的解决方案是使用Dovecot的{SCHEME}hash编码而不是设置default_pass_scheme，但是这样做，您可以稍后轻松地更改/升级哈希方法，而不会立即使所有用户的密码无效。此方案中使用的散列示例:

{SHA512.hex}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

最后:密码的普通哈希是永远不会保存，也不是当使用大SHA512哈希时。永远不要存储未加盐的密码哈希，如果数据库泄露，您很容易受到彩虹表攻击。

由以下代码生成:

private String SHA(final String strText, final String strType) {
        String strResult = null;
        if (strText != null && strText.length() > 0) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(strType);
                messageDigest.update(strText.getBytes());
                byte byteBuffer[] = messageDigest.digest();
                StringBuffer strHexString = new StringBuffer();
                for (int i = 0; i < byteBuffer.length; i++) {
                    String hex = Integer.toHexString(0xff & byteBuffer[i]);
                    if (hex.length() == 1) {
                        strHexString.append('0');
                    }
                    strHexString.append(hex);
                }
                strResult = strHexString.toString();
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            }
        }
        return strResult;
    }
    public static void main(String[] args) {
        EncryptUtils et=new EncryptUtils();
        String pas=et.SHA512("lingo");
        System.out.println("{SHA512.HEX}"+pas);
    }

相关内容

最新更新

热门标签：