‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP.
Good point regarding LDAP but right now I am using PostgreSQL as backend for storing my accounts and use the following "password_query" parameter:
password_query = SELECT username AS user, password, '%w' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
So based on the Dovecot Variables wiki documentation you mention I could adapt my "password_query" parameter to the following in order to use a SHA512 hash of the password:
password_query = SELECT username AS user, password, '%{sha512:w}' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
is this correct?
I am also not sure about sha512 hash because the Dovecot Variable wiki page does not mention sha512 but only sha256. Is sha512 also available?