SASL LOGIN身份验证失败:UGFzc3dvcmQ6

时间:2016-09-12 07:15:36

标签: java mysql dovecot postfix

CentOS6.6,Postfix,dovecot 2.0.9和MySQL 5.1.73

dovecot配置(/etc/dovecot/dovecot-sql.conf.ext):

driver = mysql    
connect = host=127.0.0.1 dbname=postfix user=root password=lingo

default_pass_scheme = SHA512
password_query = SELECT email as user, password FROM virtual_user WHERE email='%u';

MySQL数据库:

mysql> SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
+--------------------------+------------------------------------------------------------------------------------------------------------+
| user                     | password                                                                                                   |
+--------------------------+------------------------------------------------------------------------------------------------------------+
| lingo.lin1@example.com | 0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c |
+--------------------------+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

密码由commons-codec生成,Java代码:

System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
//print :0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

现在我写了一些Java代码进行身份验证:

public static void sendEmail() throws EmailException, GeneralSecurityException {

        SimpleEmail email = new SimpleEmail();
        // smtp host
        email.setHostName("192.168.15.139");
        email.setSmtpPort(25);
        email.setDebug(true);
        // DigestUtils.sha512Hex("lingo".getBytes())
        email.setAuthentication("lingo.lin1@example.com", "lingo");

        email.setStartTLSEnabled(true);
        MailSSLSocketFactory socketFactory = new MailSSLSocketFactory();
        socketFactory.setTrustAllHosts(true);
        Properties propsSSL = email.getMailSession().getProperties();
        propsSSL.put("mail.smtp.port", "465");
        propsSSL.put("mail.smtp.ssl.checkserveridentity", "false");
        propsSSL.put("mail.smtp.ssl.socketFactory", socketFactory);
        email.addTo("lingo.lin@qamail.rimanggis.com", "John Doe");
        email.setFrom("lingo.lin@radicasys.com", "Me");
        email.setSubject("Test message");
        email.setMsg("This is a simple test of commons-email");
        email.send();
        System.out.println("success");
    }

    public static void main(String[] args) throws Exception {
        SendEmailTest.sendEmail();
        // System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
    }

但它失败并出现以下错误:

Sep 12 13:30:51 localhost dovecot: auth: Debug: sql(lingo.lin1@radicasys.com,192.168.15.243): query: SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
Sep 12 13:30:51 localhost dovecot: auth: Error: sql(lingo.lin1@radicasys.com,192.168.15.243): Password in passdb is not in expected scheme SHA512
Sep 12 13:30:53 localhost postfix/smtpd[1872]: warning: unknown[192.168.15.243]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 12 13:30:53 localhost dovecot: auth: Debug: client out: FAIL#0115#011user=lingo.lin1@radicasys.com
Sep 12 13:30:53 localhost postfix/smtpd[1872]: lost connection after AUTH from unknown[192.168.15.243]
Sep 12 13:30:53 localhost postfix/smtpd[1872]: disconnect from unknown[192.168.15.243]

如何修复身份验证?

2 个答案:

答案 0 :(得分:1)

这是dovecot配置问题。 Dovecot知道两种散列编码,即“传统”十六进制编码(即SHA512.HEX)和Base64编码(即SHA512.b64)。后者在存储为字符串时更节省空间,默认情况下在Dovecot中。使用sha512sha512.b64sha512.hex编码生成哈希的示例:

$ doveadm pw -p lingo -s sha512
{SHA512}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.b64
{SHA512.b64}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.hex
{SHA512.HEX}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c802fb97e83c893c28d8614

如果在Java中创建十六进制编码的密码哈希值,请使用default_pass_scheme = SHA512.HEX。更好的解决方案是使用Dovecot的{SCHEME}hash编码而不是设置default_pass_scheme,但是:这样做,您可以在以后轻松更改/升级哈希方法,而不会立即使所有用户的密码失效。您在此方案中使用的哈希示例:

{SHA512.hex}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

最后:密码的普通散列是从不保存,也不是在使用大型SHA512哈希时。从不存储未加密的密码哈希,如果数据库泄漏,您很容易受到彩虹表攻击。

答案 1 :(得分:0)

我通过以下代码生成:

private String SHA(final String strText, final String strType) {
        String strResult = null;
        if (strText != null && strText.length() > 0) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(strType);
                messageDigest.update(strText.getBytes());
                byte byteBuffer[] = messageDigest.digest();
                StringBuffer strHexString = new StringBuffer();
                for (int i = 0; i < byteBuffer.length; i++) {
                    String hex = Integer.toHexString(0xff & byteBuffer[i]);
                    if (hex.length() == 1) {
                        strHexString.append('0');
                    }
                    strHexString.append(hex);
                }
                strResult = strHexString.toString();
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            }
        }

        return strResult;
    }

    public static void main(String[] args) {
        EncryptUtils et=new EncryptUtils();
        String pas=et.SHA512("lingo");
        System.out.println("{SHA512.HEX}"+pas);
    }