Multiple non-plaintext mechanisms using multiple passdbs.

Jesús Ángel del Pozo Domínguez jesusangel.delpozo at gmail.com
Thu Jun 17 13:00:43 EEST 2021 

Hi there,

Although I have set up TLS in my Dovecot installation, I would like to
also set up some non-plaintext authentication mechanism, specifically
CRAM-MD5 and SCRAM-SHA-1.

As I read in the documents, "The problem with non-plaintext auth
mechanisms is that the password must be stored either in plaintext, or
using a mechanism-specific scheme that’s incompatible with all other
non-plaintext mechanisms".

I will not be storing the user's passwords in plaintext, so I will have
to use different mechanism-specific hash schemes. I was wondering
whether it would be possible to have several auth databases, one for
each non-plaintext mechanism. Well, in reality, I will have just one
database with multiple hashes: SHA512-CRYPT, CRAM-MD5 and SCRAM-SHA-1
but then I am going to set up three different passdb instances in
dovecot, each one with its own SQL configuration.

For example:

passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql-plain.conf.ext
}

passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql-cram-md5.conf.ext
}

passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql-scram-sha-1.conf.ext
}

Most users would use TLS and PLAIN as authentication mechanism so the
last two password databases will not be used at all. However, those
users using CRAM-MD5 or SCRAM-SHA-1 would try the other databases.

My users table would be somewhat like this:

  CREATE TABLE users (
      username VARCHAR(128) NOT NULL,
      domain VARCHAR(128) NOT NULL,
      password VARCHAR(77) NOT NULL,
      password_cram_md5 VARCHAR(74) NOT NULL,
      password_scram_sha_1 VARCHAR(100) NOT NULL,
      home VARCHAR(255) NOT NULL,
      uid INTEGER NOT NULL,
      gid INTEGER NOT NULL,
      active CHAR(1) DEFAULT 'Y' NOT NULL
  );

username: foo at bar.com
domain: bar.com
password: {SHA512-CRYPT}$6$Mih5.y90z...CqxX2LxfMJMqoC42NvBK1
password_cram_md5: {CRAM-MD5}a457...2a74f63442e7473e9576cf2e
password_scram_sha_1: {SCRAM-SHA-1}4096,4...9AYjadouwXqiqc3UM=

Obviously, the SQL query in each dovecot-sql-....ext file would be
different. For instance:

/etc/dovecot/dovecot-sql-plain.conf.ext
default_pass_scheme = SHA512-CRYPT
password_query = \
   SELECT username, domain, password, home AS userdb_home, uid AS
userdb_uid FROM users WHERE username = '%n' AND domain = '%d'

/etc/dovecot/dovecot-sql-cram-md5.conf.ext
default_pass_scheme = CRAM-MD5
password_query = \
   SELECT username, domain, password_cram_md5 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'

/etc/dovecot/dovecot-sql-scram-sha-1.conf.ext
default_pass_scheme = SCRAM-SHA-1
password_query = \
   SELECT username, domain, password_scram_sha_1 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'

Could you please tell me whether this set up would work? Do you believe
is worth the complexity or maybe I had better keep it more simple and
use just PLAIN auth with TLS?

Cheers,
Jesús Ángel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210617/44aaf2b4/attachment.html>

More information about the dovecot mailing list