[Dovecot] Looking for a good way to manage passwords for CRAM-MD5
Steinar Bang
sb at dod.no
Sun May 12 14:17:21 EEST 2013
I prefer not to use clear text passwords, even over an encrypted
connection. With IMAP, the only such mechanism with widespread client
support is CRAM-MD5 (please correct my if I'm wrong... I'd love to be
corrected here...).
On the dovecot 2 wiki, the only way I've found to implement CRAM-MD5
support, is to use a passwd-like file:
http://wiki2.dovecot.org/HowTo/CRAM-MD5
I am running a small IMAP server used by my family.
As long as I was the single user on the IMAPd, manually managing the
passwd file as doable (if a bit cumbersome).
With 2-5 users, I'm looking for a more elegant solution.
Does anyone have a similar situation, and a solution they would like to
share (config/HOWTO)?
Here are the possibilities that comes to mind:
1. Create a web interface to change the password (does anyone know of a
ready-made solution for this that they could recommend?)
2. Convince PAM to update the dovecot HMAC-MD5 password file as well as
the regular system password file (my dovecot runs on a debian stable
"wheezy" system. In theory this should be possible, but it is very
hard to find documentation on what PAM modules exist, and how to
write a new one, and if it is possible to chain modules in PAM,
ie. use one module to update-this-passwd-file and then use a
different module to update a different passwd file)
3. Use LDAP, which I think can also support CRAM-MD5 when using
password lookups
http://wiki2.dovecot.org/AuthDatabase/LDAP/PasswordLookups
(learning how to set up LDAP is something I have avoided for years,
because it looks awfully complex and time consuming)
I haven't looked into using databases, SQL, or key-value store, because
they seem like a more cumbersome way to do the same thing as passwd
files.
But I am aware that this assumption could be wrong. It could e.g. be
easier to make the web interface idea work with a database manager, than
messing around with setuid bits to safely update a passwd file owned and
touchable only by the dovecot user.
Thanks for any and all responses!
- Steinar
More information about the dovecot
mailing list