[Dovecot] Postfix/mysql/dovecot - Understanding password encryption

[Robert Moskowitz]

On 12/24/2012 04:54 PM, Reindl Harald wrote:
>
> Am 24.12.2012 22:44, schrieb Robert Moskowitz:
>> On 12/24/2012 04:26 PM, Robert Moskowitz wrote:
>>> I am switching from a fedora/postfix/mysql/couriermail/squirrelmail to Centos/.../dovecot/roundcubemail and
>>> adding postfixadmin to the mix.
>>>
>>> My tutorial before was an earlier version (on F14) of:
>>>
>>> http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-centos-6.2-x86_64
>>>
>>> Now I am using
>>>
>>> http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer
>>>
>>> to get me started.  I am up to roundcubemail setup and am stumbling to understand what the author here is doing
>>> with encrypted passwords, so felt it was time to delve deeper into this.
>>>
>>> My old setup uses mysql-crypt for the password.
>>>
>>> MYSQL_CRYPT_PWFIELD password
>>>
>>> and users could be added to the table with:
>>>
>>> INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('sales at example.com', ENCRYPT('secret'), 10485760);
>>>
>>> But where this was all simple and no choices, I get to figure out what to do with my dovecot setup.
>>>
>>> Some of the 'secret' is hinted at in postfixadmin's config.inc.php:
>>>
>>> // Encrypt
>>> // In what way do you want the passwords to be crypted?
>>> // md5crypt = internal postfix admin md5
>>> // md5 = md5 sum of the password
>>> // system = whatever you have set as your PHP system default
>>> // cleartext = clear text passwords (ouch!)
>>> // mysql_encrypt = useful for PAM integration
>>> // authlib = support for courier-authlib style passwords
>>> // dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
>>> $CONF['encrypt'] = 'md5crypt';
>>>
>>> Where is there information on the different choices and how to choose.
>>>
>>> Is it as 'simple' as setting up postfixadmin to control the password encryption format then 'inform' dovecot in
>>> the dovecot-mysql.conf with
>>>
>>> default_pass_scheme = MD5-CRYPT
>>>
>> Oh, the dovecot.conf has the line:
>>
>> auth_mechanisms = plain login
>> Which adds to my confusion.
> maybe you should read some basic documentations
> see the large bumber of your posts on dovecot/postfix list
> and that i was able to setup my first mailserver years ago
> with only reading the docs and subcribe for mailing-lists
> a year later it feels like you try to replace reading
> manuals with posting basic questions
With all due respect, the manuals have grown over the years.  I have 
spent time over the past month going through the manuals and putting 
together notes.  Then I have gone through a few tutorials to get some 
lessons learned from others.  Some tools like postfixadmin do a lot more 
than what I need, so I am plowing through extra stuff.  You ask, why use 
postfixadmin and not just build it from scratch?  I have a few domains 
and others are responsible for those domains. The tool I used before was 
difficult for multiple admins.  My reading on postfixadmin make rather 
attractive.  Then follows a lot of other stuff.

Challenge is, I can only put a couple hours a day in on this.  Like many 
here I have other assignments.

I do appreciate your help; I try to help (mostly on other lists) where I 
can.  But my expertise in secure data communications is rather specialized.

>
> auth-mech = client/server
>
> start with
>   * http://wiki.dovecot.org/
>   * http://wiki.dovecot.org/Authentication/Mechanisms
>   * http://www.postfix.org/documentation.html
>
>>> // cleartext = clear text passwords (ouch!)
> if you want / need to provide different auth-mchs you may have
> no other option because the server will not be able to generate
> the data for CRAM-MD5/MD5-DIGEST from a hashed column
>
> this is also eplained here
> http://wiki.dovecot.org/Authentication/Mechanisms
>