On Thu, 2007-02-08 at 13:03 +0100, Steffen Weber wrote:
Timo Sirainen wrote:
On Wed, 2007-02-07 at 17:01 +0100, Steffen Weber wrote:
Can Dovecot append or prepend a salt to a password before hashing them?
Yes, but then it's called SMD5 and not PLAIN-MD5. If you want to use both of them at the same time, prefix all the existing passwords with {PLAIN-MD5}.
Thank you for the quick reply. But how do I tell Dovecot which salt it should use to hash the password sent by the email client before it is compared to the one stored in the database?
The salt is stored in the generated SMD5 string itself. The salt is randomly generated when creating the SMD5 hash. Looks like it currently uses 4 byte salts, but the verification code allows the salt size to be variable.