On 2.7.2019 23.27, mabi wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password?
SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.
It depends. You can use either one, see https://wiki2.dovecot.org/Variables
I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP.
Aki