Special character Auth problem with IMAP linked to AD

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
slingshot
New user
New user
Posts: 25
Joined: 2013-02-27 17:59

Special character Auth problem with IMAP linked to AD

Post by slingshot » 2013-04-19 11:20

Hi!

We are using a webmail/weboffice software.
The login is processed through IMAP and hmail is responding to the requests.
The accounts in our hmail are all linked to AD accounts.

When authenticating from the webmail interface when the user has the Nordic special characters "åäö, ÅÄÖ" in the password the respons from hmail is the following.
All other users with passwords without these special characters can authenticate ok.

Log display on failed logon attempt with user password containing special characters.

Code: Select all

"IMAPD"	6056	5256	"2013-04-19 10:21:28.234"	"172.16.8.17"	"SENT: * OK Hello DOMAIN"
"IMAPD"	6056	5256	"2013-04-19 10:21:28.236"	"172.16.8.17"	"RECEIVED: A1 LOGIN "test@domain.se" ***"
"IMAPD"	6056	5256	"2013-04-19 10:21:28.240"	"172.16.8.17"	"SENT: A1 NO Invalid user name or password."
"IMAPD"	3568	5256	"2013-04-19 10:21:28.276"	"172.16.8.17"	"RECEIVED: A2 LOGOUT"
"IMAPD"	3568	5256	"2013-04-19 10:21:28.277"	"172.16.8.17"	"SENT: * BYE Have a nice day[nl]A2 OK Logout completed"

User avatar
mattg
Moderator
Moderator
Posts: 20133
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Special character Auth problem with IMAP linked to AD

Post by mattg » 2013-04-19 15:08

What webmail?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

slingshot
New user
New user
Posts: 25
Joined: 2013-02-27 17:59

Re: Special character Auth problem with IMAP linked to AD

Post by slingshot » 2013-04-20 08:46

Groupp Office it's a sourceforge project, since I have not posted 15 posts I'm not allowed to link to it but just google it and you'll find it :)

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Special character Auth problem with IMAP linked to AD

Post by dzekas » 2013-04-20 17:05

hMailServer does not support authentication methods that allow 8bit passwords and webmail should not use those characters with LOGIN. LOGIN allows only US-ASCII characters

slingshot
New user
New user
Posts: 25
Joined: 2013-02-27 17:59

Re: Special character Auth problem with IMAP linked to AD

Post by slingshot » 2013-04-22 08:30

So what you are saying is that LOGIN and the IMAP protocol govern by different RFCs "should" use US-ASCII?
I have read through some RFCs and found that there are no "should" on the US-ASCII, if a LANGUAGE is specified you could allow for different charsets. Altough I am unsure if it includes the "LOGIN" process as it says only it includes human-readable text.

Thus this is a quote from rfc3501:
Characters are 7-bit US-ASCII unless otherwise specified.
Also RFC5255:
3. LANGUAGE Extension

IMAP allows server responses to include human-readable text that in
many cases needs to be presented to the user. But that text is
limited to US-ASCII by the IMAP specification [RFC3501] in order to
preserve backwards compatibility with deployed IMAP implementations.
This section specifies a way for an IMAP client to negotiate which
language the server should use when sending human-readable text.
......
3.1
The LANGUAGE command is valid in all states. Clients SHOULD issue LANGUAGE before authentication

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Special character Auth problem with IMAP linked to AD

Post by dzekas » 2013-04-22 19:19

rfc5255 - imap i18n

Code: Select all

5.1.  Unicode Userids and Passwords

   IMAP4rev1 currently restricts the userid and password fields of the
   LOGIN command to US-ASCII.  The "userid" and "password" fields of the
   IMAP LOGIN command are restricted to US-ASCII only until a future
   standards track RFC states otherwise.  Servers are encouraged to
   validate both fields to make sure they conform to the formal syntax
   of UTF-8 and to reject the LOGIN command if that syntax is violated.
   Servers MAY reject the LOGIN command if either the "userid" or
   "password" field contains an octet with the highest bit set.
Login and user ID are us-ascii unless you get SASL PLAIN, MD5-digest or MD5-CRAM support. MD5 digest and cram won't work on hMailServer as they depend on plain text passwords stored on server and hMailServer hashed passwords by default for ages.

Plus hMailServer is older than rfc3501. It is based on rfc2060.

Even if email client tried to send your user id and password properly by assuming that utf-8 strings are allowed there, they were not doing it right. unicode strings can't be sent as quoted strings. They are sent as string literals.

slingshot
New user
New user
Posts: 25
Joined: 2013-02-27 17:59

Re: Special character Auth problem with IMAP linked to AD

Post by slingshot » 2013-04-24 10:32

Ok so US-ASCII is the standard for LOGIN untill further RFC states otherwise.
But it also states:

Servers are encouraged to validate both fields to make sure they conform to the formal syntax of UTF-8
Is this "formal syntax" when UTF8 string is sent as string literals?

Would hMailserver accept a string literals UTF8 string for LOGIN command? Or it's strictly allowing US-ASCII only?

Or would it be better to go with the suggestion in the following RFC:
RFC6855

Code: Select all

5.  "LOGIN" Command and UTF-8

   This specification does not extend the IMAP "LOGIN" command [RFC3501]
   to support UTF-8 usernames and passwords.  Whenever a client needs to
   use UTF-8 usernames or passwords, it MUST use the IMAP "AUTHENTICATE"
   command, which is already capable of passing UTF-8 usernames and
   credentials.

   Although using the IMAP "AUTHENTICATE" command in this way makes it
   syntactically legal to have a UTF-8 username or password, there is no
   guarantee that the user provisioning system utilized by the IMAP
   server will allow such identities.  This is an implementation
   decision and may depend on what identity system the IMAP server is
   configured to use.

slingshot
New user
New user
Posts: 25
Joined: 2013-02-27 17:59

Re: Special character Auth problem with IMAP linked to AD

Post by slingshot » 2013-04-24 12:25

I have now manually been trying with the hMailServer where we have the authentication problems.

Code: Select all

$ telnet mail.domain.se imap
Trying 172.16.0.4...
Connected to mail.domain.se.
Escape character is '^]'.
* OK Hello DOMAIN
a1 AUTHENTICATE
a1 NO Unsupported authentication mechanism.
a1 LOGIN some.user@domain.se somepasswordwithabc
a1 OK LOGIN completed
a1 LOGOUT
* BYE Have a nice day
a1 OK Logout completed
Connection closed by foreign host.
$ telnet mail.domain.se imap
Trying 172.16.0.4...
Connected to mail.domain.se.
Escape character is '^]'.
* OK Hello DOMAIN
a1 LOGIN someother.user@domain.se somepasswordwithåäö
a1 NO Invalid user name or password.
åäö is just not accepted with LOGIN and AUTHENTICATE is not implemented in hMailServer.
So we'll have to wait untill AUTHENTICATE NTLM or other fancy command is supported. That is when RFC5738 gets standard and implemented.

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Special character Auth problem with IMAP linked to AD

Post by prisma » 2013-05-21 11:12

We dealed with this problem also. Most speeches using latin characters are affected by this behaviour, except English speech. For this reason I wonder about that RFC. It's hard to force a AD-user to use safe passwords, but please "only US-ASCII-safe-passwords". How to explain that to a clerk? How to prevent this within AD? As far as I know it's not possible...

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Special character Auth problem with IMAP linked to AD

Post by Bill48105 » 2013-05-21 16:12

prisma wrote:We dealed with this problem also. Most speeches using latin characters are affected by this behaviour, except English speech. For this reason I wonder about that RFC. It's hard to force a AD-user to use safe passwords, but please "only US-ASCII-safe-passwords". How to explain that to a clerk? How to prevent this within AD? As far as I know it's not possible...
martin & I have talked about character issues and they'll be worked on after 5.4 is final which hopefully is this weekend if there are no deal-breaker problems reported with B1949. There has been a patch for web admin but doubt that'll hold off a release. But dealing with some of these character issues will be top priority for 5.4.1. Sticking to RFC is of top concern but we might need to add optional deviations at times.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Special character Auth problem with IMAP linked to AD

Post by prisma » 2013-05-22 11:54

THX for info Bill. Nice to hear that. It's also my opinion. RFC should be of top concern, but usability in reality and Microsoft compatibility breaks sometimes RFCs.
Sad but true.

PS:
Speaking of RFC: I tried to reproduce the problem with Outlook some admins had:
http://www.hmailserver.com/devnet/?page ... ssueid=326
I didn't manage to reproduce it. Sorry.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Special character Auth problem with IMAP linked to AD

Post by Bill48105 » 2013-05-22 20:40

prisma wrote:THX for info Bill. Nice to hear that. It's also my opinion. RFC should be of top concern, but usability in reality and Microsoft compatibility breaks sometimes RFCs.
Sad but true.

PS:
Speaking of RFC: I tried to reproduce the problem with Outlook some admins had:
http://www.hmailserver.com/devnet/?page ... ssueid=326
I didn't manage to reproduce it. Sorry.
Right and we realize that. So if something is broken for enough people we might need to make an optional change but much better for everyone if the real problem is fixed. (IOW if M$ broke from standards with 2013 they should fix it on their end & imagine they will if enough people have problems & complain.) I realize Outlook is a carrot to sell more Exchange but MANY MANY people use Outlook outside of Exchange so they can't really dictate as much as they think IF the customers speak up cuz people vote with their wallets.

Regarding Ps. Yeah thank we're run into the same problem. Nearly impossible to reproduce which makes it tough to track down & fix.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

WhiteKnight
New user
New user
Posts: 1
Joined: 2015-11-05 17:45

Re: Special character Auth problem with IMAP linked to AD

Post by WhiteKnight » 2015-11-05 18:01

Sorry for coming back to this old thread, but I'm having the same issue here.

When using RoundCube for accessing hMail, everything works fine, but when accessing hMail through Outlook 2016, my passwords with non-ASCII punctuation characters are not accepted.

Strange: These passwords worked flawlessly when using Outlook 2013.

Post Reply