SASL登錄認證失敗：UGFzc3dvcmQ6

Question

CentOS6.6，後綴，達夫科特2.0.9和MySQL 73年5月1日

dovecot的配置（/etc/dovecot/dovecot-sql.conf.ext）：

driver = mysql  
connect = host=127.0.0.1 dbname=postfix user=root password=lingo 

default_pass_scheme = SHA512 
password_query = SELECT email as user, password FROM virtual_user WHERE email='%u'; 

MySQL數據庫：

mysql> SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com'; 
+--------------------------+------------------------------------------------------------------------------------------------------------+ 
| user      | password                         | 
+--------------------------+------------------------------------------------------------------------------------------------------------+ 
| lingo.lin1@example.com | 0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c | 
+--------------------------+------------------------------------------------------------------------------------------------------------+ 
1 row in set (0.00 sec) 

密碼由commons-codec產生，Java代碼：

System.out.println(DigestUtils.sha512Hex("lingo".getBytes())); 
//print :0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c 

現在，我寫了一些Java代碼來驗證：

public static void sendEmail() throws EmailException, GeneralSecurityException { 

     SimpleEmail email = new SimpleEmail(); 
     // smtp host 
     email.setHostName("192.168.15.139"); 
     email.setSmtpPort(25); 
     email.setDebug(true); 
     // DigestUtils.sha512Hex("lingo".getBytes()) 
     email.setAuthentication("lingo.lin1@example.com", "lingo"); 

     email.setStartTLSEnabled(true); 
     MailSSLSocketFactory socketFactory = new MailSSLSocketFactory(); 
     socketFactory.setTrustAllHosts(true); 
     Properties propsSSL = email.getMailSession().getProperties(); 
     propsSSL.put("mail.smtp.port", "465"); 
     propsSSL.put("mail.smtp.ssl.checkserveridentity", "false"); 
     propsSSL.put("mail.smtp.ssl.socketFactory", socketFactory); 
     email.addTo("lingo.lin@qamail.rimanggis.com", "John Doe"); 
     email.setFrom("lingo.lin@radicasys.com", "Me"); 
     email.setSubject("Test message"); 
     email.setMsg("This is a simple test of commons-email"); 
     email.send(); 
     System.out.println("success"); 
    } 

    public static void main(String[] args) throws Exception { 
     SendEmailTest.sendEmail(); 
     // System.out.println(DigestUtils.sha512Hex("lingo".getBytes())); 
    } 

但它失敗，以下錯誤：

Sep 12 13:30:51 localhost dovecot: auth: Debug: sql(lingo.lin1@radicasys.com,192.168.15.243): query: SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com'; 
Sep 12 13:30:51 localhost dovecot: auth: Error: sql(lingo.lin1@radicasys.com,192.168.15.243): Password in passdb is not in expected scheme SHA512 
Sep 12 13:30:53 localhost postfix/smtpd[1872]: warning: unknown[192.168.15.243]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 
Sep 12 13:30:53 localhost dovecot: auth: Debug: client out: FAIL#0115#011user=lingo.lin1@radicasys.com 
Sep 12 13:30:53 localhost postfix/smtpd[1872]: lost connection after AUTH from unknown[192.168.15.243] 
Sep 12 13:30:53 localhost postfix/smtpd[1872]: disconnect from unknown[192.168.15.243] 

如何解決認證？

Answer 1

這是一個dovecot配置問題。 Dovecot知道兩個散列編碼，即「傳統」十六進制編碼（即SHA512.HEX）和Base64編碼（即SHA512.b64）。後者在以字符串形式存儲時更加節省空間，而在Dovecot中則默認使用。與sha512，sha512.b64和sha512.hex編碼生成散列的例子：

$ doveadm pw -p lingo -s sha512 
{SHA512}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA== 
$ doveadm pw -p lingo -s sha512.b64 
{SHA512.b64}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA== 
$ doveadm pw -p lingo -s sha512.hex 
{SHA512.HEX}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c802fb97e83c893c28d8614 

使用default_pass_scheme = SHA512.HEX如果您在Java中創建的十六進制編碼的密碼哈希值。更好的解決方案是使用Dovecot的{SCHEME}hash編碼，而不是設置default_pass_scheme，這樣做：您可以稍後輕鬆更改/升級散列方法，而不會立即使所有用戶的密碼無效。您在此方案中使用的哈希一個例子：

{SHA512.hex}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c 

最後：密碼散列平原是從未保存，也沒有使用大SHA512哈希值時。切勿存儲未加密的密碼哈希，如果數據庫泄漏，則容易受到彩虹表攻擊。

Answer 2

我生成這個代碼：

private String SHA(final String strText, final String strType) { 
     String strResult = null; 
     if (strText != null && strText.length() > 0) { 
      try { 
       MessageDigest messageDigest = MessageDigest.getInstance(strType); 
       messageDigest.update(strText.getBytes()); 
       byte byteBuffer[] = messageDigest.digest(); 
       StringBuffer strHexString = new StringBuffer(); 
       for (int i = 0; i < byteBuffer.length; i++) { 
        String hex = Integer.toHexString(0xff & byteBuffer[i]); 
        if (hex.length() == 1) { 
         strHexString.append('0'); 
        } 
        strHexString.append(hex); 
       } 
       strResult = strHexString.toString(); 
      } catch (NoSuchAlgorithmException e) { 
       e.printStackTrace(); 
      } 
     } 

     return strResult; 
    } 

    public static void main(String[] args) { 
     EncryptUtils et=new EncryptUtils(); 
     String pas=et.SHA512("lingo"); 
     System.out.println("{SHA512.HEX}"+pas); 
    }