Mailcrypt plugin private password
Hello there,
is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value?
I'm using a passwd file for authentication. I feel uncomfortable saving the private password in plaintext in that file.
Regards
On 4.9.2019 9.21, **** **** via dovecot wrote:
Hello there,
is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value?
I'm using a passwd file for authentication.
I feel uncomfortable saving the private password in plaintext in that file.
Regards
You can try in passdb return
userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
Aki
Do I have to replace the "password" part with the actual password or can I just copy it like that?
Will dovecot create the keypair automatically or do I have to use doveadm?
- Sep. 2019, 08:33 von aki.tuomi@open-xchange.com:
On 4.9.2019 9.21, **** **** via dovecot wrote:
Hello there,
is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value?
I'm using a passwd file for authentication.
I feel uncomfortable saving the private password in plaintext in that file.
Regards
You can try in passdb return
userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
Aki
It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.
To avoid this, you should probably have
protocol imap {
passdb {
driver = static
args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
}
and initialize the keypair using doveadm and set the password to this value there.
This requires some user management tools though so that the password is changed with doveadm when user changes their password.
Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details.
Key management is pretty much the most difficult thing in mail crypt plugin =)
Aki
On 4.9.2019 9.40, info--- via dovecot wrote:
Do I have to replace the "password" part with the actual password or can I just copy it like that?
Will dovecot create the keypair automatically or do I have to use doveadm?
Sep. 2019, 08:33 von aki.tuomi@open-xchange.com:
On 4.9.2019 9.21, **** **** via dovecot wrote:
Hello there, is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? I'm using a passwd file for authentication. I feel uncomfortable saving the private password in plaintext in that file. Regards
You can try in passdb return userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} Aki
Is any of the password schemes supported or is there a reason you chose pkcs5?
- Sep. 2019, 08:45 von aki.tuomi@open-xchange.com:
It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.
To avoid this, you should probably have
protocol imap {
passdb {
driver = static
args =userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
}
and initialize the keypair using doveadm and set the password to this value there.
This requires some user management tools though so that the password is changed with doveadm when user changes their password.
Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See > https://doc.dovecot.org/configuration_manual/config_file/config_variables/ <https://doc.dovecot.org/configuration_manual/config_file/config_variables/>> for details.
Key management is pretty much the most difficult thing in mail crypt plugin =)
Aki
On 4.9.2019 9.40, info--- via dovecot wrote:
Do I have to replace the "password" part with the actual password or can I just copy it like that?
Will dovecot create the keypair automatically or do I have to use doveadm?
- Sep. 2019, 08:33 von >> aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>>> :
On 4.9.2019 9.21, **** **** via dovecot wrote:
Hello there,
is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value?
I'm using a passwd file for authentication.
I feel uncomfortable saving the private password in plaintext in that file.
Regards
You can try in passdb return
userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
Aki
PKCS5 is a password based key derivation function. The linked documentation has information what you can use here.
Aki
On 4.9.2019 10.06, info@unkn0wn3d.com wrote:
Is any of the password schemes supported or is there a reason you chose pkcs5?
Sep. 2019, 08:45 von aki.tuomi@open-xchange.com:
It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.
To avoid this, you should probably have
protocol imap {
passdb {
driver = static
args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
}
and initialize the keypair using doveadm and set the password to this value there.
This requires some user management tools though so that the password is changed with doveadm when user changes their password.
Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details.
Key management is pretty much the most difficult thing in mail crypt plugin =)
Aki
On 4.9.2019 9.40, info--- via dovecot wrote:
Do I have to replace the "password" part with the actual password or can I just copy it like that? Will dovecot create the keypair automatically or do I have to use doveadm? 4. Sep. 2019, 08:33 von aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>: On 4.9.2019 9.21, **** **** via dovecot wrote:
Hello there, is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? I'm using a passwd file for authentication. I feel uncomfortable saving the private password in plaintext in that file. Regards
You can try in passdb return userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} Aki
participants (2)
-
Aki Tuomi
-
info@unkn0wn3d.com