[Dovecot] Storing passwords encrypted... bcrypt?

Charles Marcus CMarcus at Media-Brokers.com
Thu Jan 5 13:31:32 EET 2012


On 2012-01-04 8:19 PM, Pascal Volk 
<user+dovecot at localhost.localdomain.org> wrote:
> On 01/03/2012 09:40 PM Charles Marcus wrote:
>> Hi everyone,
>>
>> Was just perusing this article about how trivial it is to decrypt
>> passwords that are stored using most (standard) encryption methods (like
>> MD5), and was wondering - is it possible to use bcrypt with
>> dovecot+postfix+mysql (or posgres)?

> Yes it is possible to use bcrypt with dovecot. Currently you have only
> to write your password scheme plugin. The bcrypt algorithm is described
> at http://en.wikipedia.org/wiki/Bcrypt.
>
> If you are using Dovecot>= 2.0 'doveadm pw' supports the schemes:
>      *BSD:                     Blowfish-Crypt
>      *Linux (since glibc 2.7): SHA-256-Crypt and SHA-512-Crypt
> 	Some distributions have also added support for Blowfish-Crypt
> See also: doveadm-pw(1)
>
> If you are using Dovecot<  2.0 you can also use any of the algorithms
> supported by your system's libc. But then you have to prefix the hashes
> with {CRYPT} - not {{BLF,SHA256,SHA512}-CRYPT}.

Hmmm... thanks very much Pascal, I think that gets me half-way to an 
answer (but since ianap, this is mostly greek to me and so is not quite 
a solution I can implement yet)...

You said above that 'yes, I can use it with dovecot' - but what about 
postfix and mysql... where/how do they fit into this mix? My thought was 
that there are two issues here:

1. Storing them in bcrypted form, and

2. The clients must support *decrypting* them...

So, since I use postfixadmin, I'm guessing that for #1, it will have to 
support encrypting them in bcrypt form, and then I have to worry about 
dovecot - and since I'm planning on using postfix+dovecot-sasl, once 
dovecot supports it, postfix will too...

Is that about right?

Thanks again,

-- 

Best regards,

Charles



More information about the dovecot mailing list