Hi there,

Although I have set up TLS in my Dovecot installation, I would like to also set up some non-plaintext authentication mechanism, specifically CRAM-MD5 and SCRAM-SHA-1.

As I read in the documents, "The problem with non-plaintext auth mechanisms is that the password must be stored either in plaintext, or using a mechanism-specific scheme that’s incompatible with all other non-plaintext mechanisms".

I will not be storing the user's passwords in plaintext, so I will have to use different mechanism-specific hash schemes. I was wondering whether it would be possible to have several auth databases, one for each non-plaintext mechanism. Well, in reality, I will have just one database with multiple hashes: SHA512-CRYPT, CRAM-MD5 and SCRAM-SHA-1 but then I am going to set up three different passdb instances in dovecot, each one with its own SQL configuration.

For example:

passdb { driver = sql args = /etc/dovecot/dovecot-sql-plain.conf.ext }

passdb { driver = sql args = /etc/dovecot/dovecot-sql-cram-md5.conf.ext }

passdb { driver = sql args = /etc/dovecot/dovecot-sql-scram-sha-1.conf.ext }

Most users would use TLS and PLAIN as authentication mechanism so the last two password databases will not be used at all. However, those users using CRAM-MD5 or SCRAM-SHA-1 would try the other databases.

My users table would be somewhat like this:

CREATE TABLE users ( username VARCHAR(128) NOT NULL, domain VARCHAR(128) NOT NULL, password VARCHAR(77) NOT NULL, password_cram_md5 VARCHAR(74) NOT NULL, password_scram_sha_1 VARCHAR(100) NOT NULL, home VARCHAR(255) NOT NULL, uid INTEGER NOT NULL, gid INTEGER NOT NULL, active CHAR(1) DEFAULT 'Y' NOT NULL );

username: foo@bar.com domain: bar.com password: {SHA512-CRYPT}$6$Mih5.y90z...CqxX2LxfMJMqoC42NvBK1 password_cram_md5: {CRAM-MD5}a457...2a74f63442e7473e9576cf2e password_scram_sha_1: {SCRAM-SHA-1}4096,4...9AYjadouwXqiqc3UM=

Obviously, the SQL query in each dovecot-sql-....ext file would be different. For instance:

/etc/dovecot/dovecot-sql-plain.conf.ext default_pass_scheme = SHA512-CRYPT password_query =
SELECT username, domain, password, home AS userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND domain = '%d'

/etc/dovecot/dovecot-sql-cram-md5.conf.ext default_pass_scheme = CRAM-MD5 password_query =
SELECT username, domain, password_cram_md5 AS password, home AS userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND domain = '%d'

/etc/dovecot/dovecot-sql-scram-sha-1.conf.ext default_pass_scheme = SCRAM-SHA-1 password_query =
SELECT username, domain, password_scram_sha_1 AS password, home AS userdb_home, uid AS userdb_uid FROM users WHERE username = '%n' AND domain = '%d'

Could you please tell me whether this set up would work? Do you believe is worth the complexity or maybe I had better keep it more simple and use just PLAIN auth with TLS?

Cheers, Jesús Ángel