Re: [Dovecot] Trying to get Centos5 set up with dovecot
DCA <dovecotadmin@silverservers.com> writes:
I am trying to set up dovecot to replace an older POP3 server in an existing set up. Currently the server uses sendmail to handle incoming mail. users are in /etc/mail and their incoming eMail lands in the /var/mail/username in /var/mail the username file is owned by username:mail
I have dovecot configured to create the imap folders in /home/username/mail/ on existing accounts login attempts fail with errors such as: chown /home/username/mail/.imap/INBOX failed: Operation not permitted egid=500(username), group based on /var/mail/username mkdir /home/username/mail/imap/INBOX failed: Operation not permitted.
Everything seems to work as expected but only if I add "username" into the "mail" group OR if I have all mailboxes chowned to username:username Is there any way to tell dovecot to ignore the group ownership of /var/mail/username and focus instead on using username:username for everything in /home/username ?
If I have to add every user to the mail group I can but this seems messy.
Geez, I must have answered the same query 3 or 4 times. I need to write an entry in wiki somewhere:
http://www.dovecot.org/list/dovecot/2013-August/092299.html
Joseph Tam <jtam.home@gmail.com>
Reindl Harald <h.reindl@thelounge.net> writes:
frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 100000 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack
(Off-topic)
Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards.
The keyspace for an 8-character alphanumeric password is 62^8, and assuming a random selection of keys, you would need to generate 17,397,806 keys before expecting a 50% probability of finding one collision:
(Ref: http://en.wikipedia.org/wiki/Birthday_problem#Cast_as_a_collision_problem)
p=0.5, d=62^8, n=sqrt(2*62^8*log(1/(1-0.5)) ~= 1.7E7
A hash collision (again, assuming crypt is a halfway decent hasher) is even more unlikely, as the hash space is even larger (4096 salts * 64^11).
Jiri Bourek added
Yes, AFAIK DES encryption is obsolete for very long time and if you know hash, it's quite easy to generate a secret which will match the hash ...
Quite easy? Maybe if you could find a crypt rainbow tables for crypt(). Go ahead and invert "LXE5F6d8FPOa.".
Joseph Tam <jtam.home@gmail.com>
Am 27.03.2014 11:27, schrieb Joseph Tam:
Reindl Harald <h.reindl@thelounge.net> writes:
frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 100000 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack
(Off-topic)
Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards
- Intel IvyBridge with rngd
- haveged -w 3072 -v 1
- SURELY a limited character set because mail-clients don't handle any char
$internal_random = openssl_random_pseudo_bytes(15) . microtime() . serialize($_SERVER) . serialize($_REQUEST) . serialize($_ENV) . uniqid('', true) . openssl_random_pseudo_bytes(15)
- that is not the problem and a lot of high random crap
- but you can't use that for passwords
- after hash_pbkdf2('sha256', $internal_random, mcrypt_create_iv(16, MCRYPT_DEV_URANDOM), 20, $length) you are limited to low chars and number, so you need to randomly uppercase some chars and randomly insert acceptable special chars like array('_','#','*','-','&','!','?','.',',','=')
participants (2)
-
Joseph Tam
-
Reindl Harald