On Sat, Sep 11, 2021 at 08:07:31PM -0500, John Schmerold wrote:
My /etc/dovecot/conf.d/auth-passwdfile.conf.ext is configured to use MD5
passdb { driver = passwd-file args = scheme=MD5 username_format=%n /etc/exim4/domains/%d/passwd }
userdb { driver = passwd-file args = username_format=%n /etc/exim4/domains/%d/passwd }
/home/account/conf/mail/domain.com/passwd has a mixture of MD5 & SHA512-CRYPT:
scanner:{MD5}$1$M5QuU7QI$AE7Nnorb8KC5KMvyYfVcr0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M
Everything is working fine, is this by design? In other words does the {MD5} vs {SHA512-CRYPT} in passwd over-rule auth-passwdfile.conf.ext ?
If you can, I would get rid of MD5. It's no longer secure. Sending out mountains of spam if a password gets cracked, could be problematic. :-{ I'm getting ready to drop using MD5 on secure cookies for that very reason. Website software, not dovecot.
Hopefully that's helpful. I dropped one of my bare metal servers because the company couldn't keep other spammers off of the IP block I was in. They refused to do anything to clean up their blacklist, which included me unfortunately.
Chris Bennett