Dovecot and MariaDB/MySQL

Aki Tuomi aki.tuomi at dovecot.fi
Wed Jan 11 07:50:33 UTC 2017



On 11.01.2017 09:45, Michael A. Peters wrote:
> Howdy -
>
> For most of my dovecot servers, they are small and I just use unix
> accounts.
>
> However I am going to be running a new server for more general users,
> webmail (probably roundcube but I'm hacking roundcube quite a bit,
> enough that I'm calling it squarepeg instead so users familiar with
> roundcube will know it is quite different) and it will use MariaDB for
> account management.
>
> I already have it working, following the instructions at
> https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql-on-centos-5/
> - those instructions also work in CentOS 7 with the latest Dovecot -
> but there is something that really bothers me.
>
> It makes no provision for salting the password before the crypt function.
>
> What I would like to do is when creating a new account, use
> /dev/urandom to generate a random salt for the account that is stuck
> in the database along with the account and used when validating the
> password.
>
> That way in the event of a SQL injection attack that dumps the
> database - yes it is still bad, but 20 accounts that have the same
> password will have radically different hashes and thus won't be a clue
> that they are the same, the blackhat that gets the database dump would
> have to generate a rainbow table for each unique salt.
>
> I've looked at at least a dozen different Dovecot / MariaDB howto
> guides and none of the ones I have looked at supported any kind of
> individual salting of the user passwords.
>
> Can someone point me to a guide that does?
>
> I don't mind keeping the salt in the database, I just want to be able
> to have a different salt for each account.
>
> Thank you

Hi!

Try using doveadm pw -S SSHA256 for generating the password. The salt is
included in the password hash.

Aki


More information about the dovecot mailing list