Howdy -
For most of my dovecot servers, they are small and I just use unix accounts.
However I am going to be running a new server for more general users, webmail (probably roundcube but I'm hacking roundcube quite a bit, enough that I'm calling it squarepeg instead so users familiar with roundcube will know it is quite different) and it will use MariaDB for account management.
I already have it working, following the instructions at https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mys... there is something that really bothers me.
- those instructions also work in CentOS 7 with the latest Dovecot - but
It makes no provision for salting the password before the crypt function.
What I would like to do is when creating a new account, use /dev/urandom to generate a random salt for the account that is stuck in the database along with the account and used when validating the password.
That way in the event of a SQL injection attack that dumps the database the same, the blackhat that gets the database dump would have to
- yes it is still bad, but 20 accounts that have the same password will have radically different hashes and thus won't be a clue that they are
generate a rainbow table for each unique salt.
I've looked at at least a dozen different Dovecot / MariaDB howto guides and none of the ones I have looked at supported any kind of individual salting of the user passwords.
Can someone point me to a guide that does?
I don't mind keeping the salt in the database, I just want to be able to have a different salt for each account.
Thank you
On 11.01.2017 09:45, Michael A. Peters wrote:
Howdy -
For most of my dovecot servers, they are small and I just use unix accounts.
However I am going to be running a new server for more general users, webmail (probably roundcube but I'm hacking roundcube quite a bit, enough that I'm calling it squarepeg instead so users familiar with roundcube will know it is quite different) and it will use MariaDB for account management.
I already have it working, following the instructions at https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mys...
- those instructions also work in CentOS 7 with the latest Dovecot - but there is something that really bothers me.
It makes no provision for salting the password before the crypt function.
What I would like to do is when creating a new account, use /dev/urandom to generate a random salt for the account that is stuck in the database along with the account and used when validating the password.
That way in the event of a SQL injection attack that dumps the database - yes it is still bad, but 20 accounts that have the same password will have radically different hashes and thus won't be a clue that they are the same, the blackhat that gets the database dump would have to generate a rainbow table for each unique salt.
I've looked at at least a dozen different Dovecot / MariaDB howto guides and none of the ones I have looked at supported any kind of individual salting of the user passwords.
Can someone point me to a guide that does?
I don't mind keeping the salt in the database, I just want to be able to have a different salt for each account.
Thank you
Hi!
Try using doveadm pw -S SSHA256 for generating the password. The salt is included in the password hash.
Aki
participants (2)
-
Aki Tuomi
-
Michael A. Peters