Multiple passwords with sql authentication

BlackVoid blackvoid+dovecot at fantas.in
Wed Jul 23 16:29:23 UTC 2014


The control panel uses the database to authenticate, however I want
users to be able to use applications specific passwords when
authentication via SMTP, IMAP and POP3. The issue with the solution I
found is as I said that the password will be logged in clear-text in the
query log.

Perhaps I was no clear enough with what I'm trying to achieve. On Google
you can have application-specific passwords. This means you can sign in
either with your primary password or an application-specific password
and this is what I'm trying to do. I could solve it using the solution
in my first mail, but that is a security risk, because if someone gains
access to my server for whatever reason, all the person has to do is
check the mysql query log to see everyone's password in clear-text. If I
did not explain it good enough, perhaps this will help.
https://support.google.com/mail/answer/1173270?hl=en

So I'm looking for a solution where the dovecot fetches all encrypted
passwords for the user who is trying to sign in and checks if any of the
returned hashes matched with the entered password and the risk is
non-existent that the password is logged in clear-text.

On 2014-07-23 18:07, Rick Romero wrote:
>  Quoting BlackVoid <blackvoid+dovecot at fantas.in>:
> 
>> I'm currently working on a control panel which is using postfix, dovecot
>> and other applications and I want to add application specific passwords
>> to increase security.
>>
>> I found one solution [1], however it requires the password to be
>> included in the query which is something I do not want to do, because
>> the query may be written in clear-text to log-files. So I'm wondering if
>> there is a way to have multiple passwords with dovecot without risking
>> passwords being leakied in clear-text to log-files.
>>
>>
> [1]http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_server
> 
> 
> You can run your query by host (or port - not sure if that variable is
> available in the query) and make it complex..
> 
> For example - (MySQL)
> SELECT if ('%r'!='127.0.0.1', webmail_pass, enc_password) as password from
> user where userid = %u
> 
> http://komlenic.com/254/mysql-nested-if-in-select-queries/
> 
> If you're using Dovecot as an auth backend for your control panel, I'd use
> a custom port only accessible from the web server(s) like 145 for
> IMAP+Control Panel.
> 
> Rick


More information about the dovecot mailing list