Hi
I tried to configure imap authentication in prosody, but failed so far.
I followed the instructions for setting up a secure domain and that works just fine with
internal_hashed authentication.
Then I tried to change it to use imap by using these settings in /etc/prosody/conf.avail/meet.domain.com.cfg.lua:
24 VirtualHost "meet.domain.com"
25 -- enabled = false -- Remove this line to enable this host
26 -- authentication = "internal_hashed"
27 authentication = "imap"
28 imap_auth_host = "imap.domain.com"
29 imap_auth_port = 993
30 imap_auth_ream = "domain.com"
But this does not work.
In the logs I can see that the plugin is loaded and gets the server capabilities successfully.
107 Nov 30 12:36:44 x509 debug Cert dNSName imap.ascolab.com matched hostname
108 Nov 30 12:36:44 sasl_imap info imap greeting: '* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRAL S ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.'
109 Nov 30 12:36:44 sasl_imap info Capability: CAPABILITY
110 Nov 30 12:36:44 sasl_imap info Capability: IMAP4rev1
111 Nov 30 12:36:44 sasl_imap info Capability: LITERAL+
112 Nov 30 12:36:44 sasl_imap info Capability: SASL-IR
113 Nov 30 12:36:44 sasl_imap info Capability: LOGIN-REFERRALS
114 Nov 30 12:36:44 sasl_imap info Capability: ID
115 Nov 30 12:36:44 sasl_imap info Capability: ENABLE
116 Nov 30 12:36:44 sasl_imap info Capability: IDLE
117 Nov 30 12:36:44 sasl_imap info Capability: AUTH=PLAIN
118 Nov 30 12:36:44 sasl_imap info Supported SASL mechanism: PLAIN
119 Nov 30 12:36:44 sasl_imap info Capability: AUTH=LOGIN
120 Nov 30 12:36:44 sasl_imap info Supported SASL mechanism: LOGIN
121 Nov 30 12:36:44 sasl_imap info method:mechanisms()
122 Nov 30 12:36:44 auth_imap info Mechanims found: PLAIN
Later on I see this:
235 Nov 30 12:36:46 c2s55e1159c7c90 info Stream encrypted (TLSv1.3 with TLS_AES_256_GCM_SHA384)
236 Nov 30 12:36:46 c2s55e1159c7c90 debug Not offering disabled mechanism DIGEST-MD5
237 Nov 30 12:36:46 c2s55e1159c7c90 debug Offering mechanism PLAIN
238 Nov 30 12:36:46 c2s55e1159c7c90 debug Offering mechanism SCRAM-SHA-1
239 Nov 30 12:36:46 c2s55e1159c7c90 debug Offering mechanism SCRAM-SHA-1-PLUS
240 Nov 30 12:36:46 c2s55e1159c7c90 debug Sending[c2s_unauthed]: <stream:features>
241 Nov 30 12:36:46 c2s55e1159c7c90 debug Received[c2s_unauthed]: <auth mechanism='SCRAM-SHA-1' xmlns='urn:ietf:para ms:xml:ns:xmpp-sasl'>
242 Nov 30 12:36:46 auth.meet.ascolab.com:auth_internal_plain debug get_password for username 'jvb'
243 Nov 30 12:36:46 auth.meet.ascolab.com:saslauth debug sasl reply: <challenge xmlns='urn:ietf:params:xml:ns:xmpp- sasl'>cj1pL3d4PWxdVGNzTV1ybVI9VVwuLjRpaFx3RWJlIydIejRjYWZiYTRkLWEyZWItNDg1Zi1iNWMwLTZhZWUxOWIwN2JmMCxzPU5qQmpNalJr TWpndE5HRXlNaTAwTWpreExXRXdNVFl0T0dZMU1ERTVOamt3WkRBNSxpPTQwOTY=</challenge>
244 Nov 30 12:36:46 c2s55e1159c7c90 debug Sending[c2s_unauthed]: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl' >
245 Nov 30 12:36:46 c2s55e1159c7c90 debug Received[c2s_unauthed]: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' >
The IMAP server used TLS encryption with auth PLAIN/LOGIN. The server does not support any DIGEST based login, because this would require plaintext passwords in the DB. Instead hashed passwords are stored in the user DB and the mail client sends the password as plaintext, which is OK due to the TLS encryption.
I guess jitsi/prosody config doesn’t like this.
The Jitsi web interface just says “Connecting…” and hangs. It does not report any errors, for this reason, I increased the trace level to “debug” on server side.
Any ideas how to fix this?