1

CentOS6.6、Postfix、dovecot 2.0.9 和 MySQL 5.1.73

鸽舍配置(/etc/dovecot/dovecot-sql.conf.ext):

driver = mysql    
connect = host=127.0.0.1 dbname=postfix user=root password=lingo

default_pass_scheme = SHA512
password_query = SELECT email as user, password FROM virtual_user WHERE email='%u';

MySQL数据库:

mysql> SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
+--------------------------+------------------------------------------------------------------------------------------------------------+
| user                     | password                                                                                                   |
+--------------------------+------------------------------------------------------------------------------------------------------------+
| lingo.lin1@example.com | 0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c |
+--------------------------+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

密码由commons-codecJava 代码生成:

System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
//print :0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

现在我编写了一些 Java 代码来进行身份验证:

public static void sendEmail() throws EmailException, GeneralSecurityException {

        SimpleEmail email = new SimpleEmail();
        // smtp host
        email.setHostName("192.168.15.139");
        email.setSmtpPort(25);
        email.setDebug(true);
        // DigestUtils.sha512Hex("lingo".getBytes())
        email.setAuthentication("lingo.lin1@example.com", "lingo");

        email.setStartTLSEnabled(true);
        MailSSLSocketFactory socketFactory = new MailSSLSocketFactory();
        socketFactory.setTrustAllHosts(true);
        Properties propsSSL = email.getMailSession().getProperties();
        propsSSL.put("mail.smtp.port", "465");
        propsSSL.put("mail.smtp.ssl.checkserveridentity", "false");
        propsSSL.put("mail.smtp.ssl.socketFactory", socketFactory);
        email.addTo("lingo.lin@qamail.rimanggis.com", "John Doe");
        email.setFrom("lingo.lin@radicasys.com", "Me");
        email.setSubject("Test message");
        email.setMsg("This is a simple test of commons-email");
        email.send();
        System.out.println("success");
    }

    public static void main(String[] args) throws Exception {
        SendEmailTest.sendEmail();
        // System.out.println(DigestUtils.sha512Hex("lingo".getBytes()));
    }

但它失败并出现以下错误:

Sep 12 13:30:51 localhost dovecot: auth: Debug: sql(lingo.lin1@radicasys.com,192.168.15.243): query: SELECT email as user, password FROM virtual_user WHERE email='lingo.lin1@radicasys.com';
Sep 12 13:30:51 localhost dovecot: auth: Error: sql(lingo.lin1@radicasys.com,192.168.15.243): Password in passdb is not in expected scheme SHA512
Sep 12 13:30:53 localhost postfix/smtpd[1872]: warning: unknown[192.168.15.243]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 12 13:30:53 localhost dovecot: auth: Debug: client out: FAIL#0115#011user=lingo.lin1@radicasys.com
Sep 12 13:30:53 localhost postfix/smtpd[1872]: lost connection after AUTH from unknown[192.168.15.243]
Sep 12 13:30:53 localhost postfix/smtpd[1872]: disconnect from unknown[192.168.15.243]

如何修复身份验证?

4

2 回答 2

1

这是鸽舍配置问题。Dovecot 知道两种散列编码,“传统的”十六进制编码(即。SHA512.HEX)和 Base64 编码(即。SHA512.b64)。后者在存储为字符串并在 Dovecot 中默认存储时更节省空间。sha512使用,sha512.b64sha512.hex编码生成哈希的示例:

$ doveadm pw -p lingo -s sha512
{SHA512}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.b64
{SHA512.b64}DaO0sDhcQyqADKFerhqEheX3q617cLThwrnPFfaK/SVs7bICnG987AnhIh5rEBQggeG7jlyAL7l+g8iTwo2GFA==
$ doveadm pw -p lingo -s sha512.hex
{SHA512.HEX}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c802fb97e83c893c28d8614

default_pass_scheme = SHA512.HEX如果您在 Java 中创建十六进制编码的密码哈希,请使用。更好的解决方案是使用 Dovecot 的{SCHEME}hash编码而不是设置default_pass_scheme. 您在此方案中使用的哈希示例:

{SHA512.hex}0da3b4b0385c432a800ca15eae1a8485e5f7abad7b70b4e1c2b9cf15f68afd256cedb2029c6f7cec09e1221e6b10142081e1bb8e5c

最后:密码的普通散列永远不会保存,使用大型 SHA512 散列时也不会保存。永远不要存储未加盐的密码哈希,如果数据库泄漏,您很容易受到彩虹表攻击。

于 2016-09-12T07:47:30.590 回答
0

我通过这段代码生成:

private String SHA(final String strText, final String strType) {
        String strResult = null;
        if (strText != null && strText.length() > 0) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(strType);
                messageDigest.update(strText.getBytes());
                byte byteBuffer[] = messageDigest.digest();
                StringBuffer strHexString = new StringBuffer();
                for (int i = 0; i < byteBuffer.length; i++) {
                    String hex = Integer.toHexString(0xff & byteBuffer[i]);
                    if (hex.length() == 1) {
                        strHexString.append('0');
                    }
                    strHexString.append(hex);
                }
                strResult = strHexString.toString();
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            }
        }

        return strResult;
    }

    public static void main(String[] args) {
        EncryptUtils et=new EncryptUtils();
        String pas=et.SHA512("lingo");
        System.out.println("{SHA512.HEX}"+pas);
    }
于 2016-09-12T09:18:36.447 回答