fix CRAM-MD5 security issue

Author: pjstevns

jenkins/Makefile

@@ -27,6 +27,7 @@ run-test:
 	(cd ../ && CK_FORK=no make check)
 	sbin/dbmail-users -c testuser1 -w test -p plaintext || true
 	sbin/dbmail-users -a testuser2 -w test -p plaintext || true
+	sbin/dbmail-users -a testuser3 -w test -p sha256 || true
 	sbin/dbmail-users -y -e testuser1 || true
 	bin/py ../contrib/mailbox2dbmail/mailbox2dbmail -u testuser1 -m ../test-scripts/testbox -t mbox -p sbin/dbmail-deliver
 	timeout 300 imaptest user=testuser1 pass=test port=10143 test=../test-scripts/imap

src/dm_db.c

@@ -3695,6 +3695,8 @@ int db_user_validate(ClientBase_T *ci, const char *pwfield, uint64_t *user_idnr,
 		else 
 			is_validated = (strcmp(dbpass, password) == 0) ? 1 : 0;
         }
+	else if (ci && ci->auth) // CRAM-MD5 auth but storage is encrypted
+		is_validated = 0;
 
 	else if (SMATCH(encode, "crypt")) {
 		TRACE(TRACE_DEBUG, "validating using crypt() encryption");

test-scripts/testimap.py

@@ -589,6 +589,12 @@ def testLogin_cram_md5(self):
         self.failUnlessRaises(Exception, o.login_cram_md5,
                               "fakeuser", "wrongpassword")
 
+        o = getsock()
+        o.debug = DEBUG
+        # testuser3 password stored as sha256 so this must fail
+        self.failUnlessRaises(Exception, o.login_cram_md5,
+                              "testuser3", "password123")
+
     def testLogout(self):
         """
         logout()