Hi there,
Although I have set up TLS in my Dovecot installation, I would like to also set up some non-plaintext authentication mechanism, specifically CRAM-MD5 and SCRAM-SHA-1.
As I read in the documents, "The problem with non-plaintext auth mechanisms is that the password must be stored either in plaintext, or using a mechanism-specific scheme that’s incompatible with all other non-plaintext mechanisms".
I will not be storing the user's passwords in plaintext, so I will have to use different mechanism-specific hash schemes. I was wondering whether it would be possible to have several auth databases, one for each non-plaintext mechanism. Well, in reality, I will have just one database with multiple hashes: SHA512-CRYPT, CRAM-MD5 and SCRAM-SHA-1 but then I am going to set up three different passdb instances in dovecot, each one with its own SQL configuration.
For example:
passdb { driver = sql args = /etc/dovecot/dovecot-sql-plain.conf.ext }
passdb { driver = sql args = /etc/dovecot/dovecot-sql-cram-md5.conf.ext }
passdb { driver = sql args = /etc/dovecot/dovecot-sql-scram-sha-1.conf.ext }
Most users would use TLS and PLAIN as authentication mechanism so the last two password databases will not be used at all. However, those users using CRAM-MD5 or SCRAM-SHA-1 would try the other databases.
My users table would be somewhat like this:
CREATE TABLE users ( username VARCHAR(128) NOT NULL, domain VARCHAR(128) NOT NULL, password VARCHAR(77) NOT NULL, password_cram_md5 VARCHAR(74) NOT NULL, password_scram_sha_1 VARCHAR(100) NOT NULL, home VARCHAR(255) NOT NULL, uid INTEGER NOT NULL, gid INTEGER NOT NULL, active CHAR(1) DEFAULT 'Y' NOT NULL );
username: foo@bar.com domain: bar.com password: {SHA512-CRYPT}$6$Mih5.y90z...CqxX2LxfMJMqoC42NvBK1 password_cram_md5: {CRAM-MD5}a457...2a74f63442e7473e9576cf2e password_scram_sha_1: {SCRAM-SHA-1}4096,4...9AYjadouwXqiqc3UM=
Obviously, the SQL query in each dovecot-sql-....ext file would be different. For instance:
/etc/dovecot/dovecot-sql-plain.conf.ext
default_pass_scheme = SHA512-CRYPT
password_query =
SELECT username, domain, password, home AS userdb_home, uid AS
userdb_uid FROM users WHERE username = '%n' AND domain = '%d'
/etc/dovecot/dovecot-sql-cram-md5.conf.ext
default_pass_scheme = CRAM-MD5
password_query =
SELECT username, domain, password_cram_md5 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'
/etc/dovecot/dovecot-sql-scram-sha-1.conf.ext
default_pass_scheme = SCRAM-SHA-1
password_query =
SELECT username, domain, password_scram_sha_1 AS password, home AS
userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND
domain = '%d'
Could you please tell me whether this set up would work? Do you believe is worth the complexity or maybe I had better keep it more simple and use just PLAIN auth with TLS?
Cheers, Jesús Ángel