Password Schemes
Chris Bennett
chris-dvcot at freedomforlife.rocks
Tue Sep 14 18:37:22 EEST 2021
On Sat, Sep 11, 2021 at 08:07:31PM -0500, John Schmerold wrote:
> My /etc/dovecot/conf.d/auth-passwdfile.conf.ext is configured to use MD5
>
> passdb {
> driver = passwd-file
> args = scheme=MD5 username_format=%n /etc/exim4/domains/%d/passwd
> }
>
> userdb {
> driver = passwd-file
> args = username_format=%n /etc/exim4/domains/%d/passwd
> }
>
> /home/account/conf/mail/domain.com/passwd has a mixture of MD5 &
> SHA512-CRYPT:
>
> scanner:{MD5}$1$M5QuU7QI$AE7Nnorb8KC5KMvyYfVcr0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M
> test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M
>
> Everything is working fine, is this by design? In other words does the {MD5}
> vs {SHA512-CRYPT} in passwd over-rule auth-passwdfile.conf.ext ?
>
If you can, I would get rid of MD5. It's no longer secure. Sending out
mountains of spam if a password gets cracked, could be problematic. :-{
I'm getting ready to drop using MD5 on secure cookies for that very
reason. Website software, not dovecot.
Hopefully that's helpful. I dropped one of my bare metal servers because
the company couldn't keep other spammers off of the IP block I was in.
They refused to do anything to clean up their blacklist, which included
me unfortunately.
Chris Bennett
More information about the dovecot
mailing list