Using SHA256/512 for SQL based password
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is:
driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1'
where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?
thanks
Here i have SSHA256 working with:
default_pass_scheme = PLAIN
and my database scheme just received the hashed password prefixed by the SSHA indicator, just like:
mysql> select * from emails where endereco = 'solutti@XXXXXXXXX'\G *************************** 1. row *************************** endereco: solutti@XXXXXXXXXXXXXX password: {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx quota: 51200
Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?
thanks
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email itOn 12 February 2019 at 19:24 Leonardo Rodrigues via dovecot <dovecot@dovecot.org> wrote:
Here i have SSHA256 working with:
default_pass_scheme = PLAIN
and my database scheme just received the hashed password prefixed by the SSHA indicator, just like:
mysql> select * from emails where endereco = 'solutti@XXXXXXXXX'\G *************************** 1. row *************************** endereco: solutti@XXXXXXXXXXXXXX password: {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx quota: 51200
Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?
thanks
--
Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it
You can use {CRYPT} prefix in the password field, this will cover both SHA256 and SHA512, unless you want to be explicit about which one it is.
The .HEX thing is not usually needed.
Aki
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is:
you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Gruß Matthias
--
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
michael
On 2/12/19 7:16 PM, Michael Slusarz via dovecot wrote:
On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? https://password-hashing.net/
Thank you very interesting. I will read draft-irtf-cfrg-argon2-04.txt
And see the comments on the cfrg list. Russ Housley had concerns about the 03 draft; I will have to see if they are addressed in the 04 draft.
I really don't like SHA512, a bit of a hack that was rushed out before SHA3.
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Gruß Matthias
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
Aki
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot <dovecot@dovecot.org> a écrit :
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: > I have trying to find how to set the dovecot-sql.conf for using > SHA256/512. I am going to start clean with the stronger format, not > migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )
With dovecot from the dovecot.org repo:
# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
On 2/13/19 10:53 AM, Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot <dovecot@dovecot.org <mailto:dovecot@dovecot.org>> a écrit :
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com <mailto:rgm@htt-consult.com>>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: > Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512. I am going to start clean with the stronger >> format, not >> migrate from the old MD5. It seems all I need is: > you maybe would like to have a look to the hashing algo ARGON2I > which is > currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )
With dovecot from the dovecot.org <http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
For those with dovecot v 2.3....
I will note this for the future.
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot <dovecot@dovecot.org <mailto:dovecot@dovecot.org>> a écrit :
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com <mailto:rgm@htt-consult.com>>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: > Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512. I am going to start clean with the stronger format, not >> migrate from the old MD5. It seems all I need is: > you maybe would like to have a look to the hashing algo ARGON2I > which is > currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )
With dovecot from the dovecot.org <http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org <http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I
????
Marc
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot <dovecot@dovecot.org> wrote:
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot <dovecot@dovecot.org <mailto:dovecot@dovecot.org>> a écrit :
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com <mailto:rgm@htt-consult.com>>:
> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>> I have trying to find how to set the dovecot-sql.conf for using >>> SHA256/512. I am going to start clean with the stronger format,
not
>>> migrate from the old MD5. It seems all I need is: >> you maybe would like to have a look to the hashing algo ARGON2I >> which is >> currently recommended for new developments and deployments. > Recommended by whom? > > Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
> > And if I was adventurous about hashes, I would be looking more at > Keccak. > > > Check out my Internet Draft: > > > draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )
With dovecot from the dovecot.org <http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org <http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I
????
Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org> <mailto:
dovecot@dovecot.org <mailto:dovecot@dovecot.org>>> a écrit :
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
Aki
Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org> <mailto:
dovecot@dovecot.org <mailto:dovecot@dovecot.org>>> a écrit :
> ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
Ah, thanks for the clarification. Still running Ubuntu 16 here.
Marc
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org> <mailto:
dovecot@dovecot.org <mailto:dovecot@dovecot.org>>> a écrit :
> ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
libsodium does not help with CentOS7 and Dovecot 2.3:
Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1
Installed: libsodium.armv7hl 0:1.0.17-1.el7
Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Previously installed argon2:
grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
On 20 February 2019 15:10 Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>
wrote:
Jean-Daniel Dupas via dovecot wrote:
> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
> < dovecot@dovecot.org <mailto: dovecot@dovecot.org>> a écrit :
>
>
>
>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>> when compiling dovecot, so varying from packagers it might or not be
>> available. The CRYPT ones are available if crypt(3) supports them. In
>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
>
> CentOS7 is on dovecot 2.2.36:
>
> # doveadm pw -s ARGON2-CRYPT -p secret
> Fatal: Unknown scheme: ARGON2-CRYPT
> # doveadm pw -s ARGON2 -p secret
> Fatal: Unknown scheme: ARGON2
>
> I tend to stay with the distro's rpms and not take on building and
> maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm
pw -l )
With dovecot from the dovecot.org < http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
????
Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
libsodium does not help with CentOS7 and Dovecot 2.3:
Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1
Installed: libsodium.armv7hl 0:1.0.17-1.el7
Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Previously installed argon2:
grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
Hi!
Just installing libsodium is not enough. It's not compiled into dovecot centos7 packages because the libsodium in centos7 (not epel) is not recent enough.
Aki
On 2/20/19 8:38 AM, Aki Tuomi wrote:
On 20 February 2019 15:10 Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>
wrote:
Jean-Daniel Dupas via dovecot wrote:
>> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
>> < dovecot@dovecot.org <mailto: dovecot@dovecot.org>> a écrit :
>>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>>> when compiling dovecot, so varying from packagers it might or not be
>>> available. The CRYPT ones are available if crypt(3) supports them. In
>>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
>> CentOS7 is on dovecot 2.2.36:
>> # doveadm pw -s ARGON2-CRYPT -p secret
>> Fatal: Unknown scheme: ARGON2-CRYPT
>> # doveadm pw -s ARGON2 -p secret
>> Fatal: Unknown scheme: ARGON2
>> I tend to stay with the distro's rpms and not take on building and
>> maintaining myself.
> And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm >
> pw -l )> With dovecot from the dovecot.org < http://dovecot.org> repo:
> # doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
????
Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
libsodium does not help with CentOS7 and Dovecot 2.3:
Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1
Installed: libsodium.armv7hl 0:1.0.17-1.el7
Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Previously installed argon2:
grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
Hi!
Just installing libsodium is not enough. It's not compiled into dovecot centos7 packages because the libsodium in centos7 (not epel) is not recent enough.
It was worth the try....
On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
libsodium does not help with CentOS7 and Dovecot 2.3:
This is what your HTML message looks like here:
<https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%20...
-- the nasty little sound of a sword being unsheathed right behind one at just the point when one thought one had disposed of one's enemies [...] It was that kind of laugh. --Equal Rites
On 2/20/19 9:06 AM, @lbutlr via dovecot wrote:
On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot <dovecot@dovecot.org> wrote:
libsodium does not help with CentOS7 and Dovecot 2.3: This is what your HTML message looks like here:
<https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%20...
Thunderbird 60.4 on Fedora 28....
I have built a new server (FreeBSD-12) running dovecot-2.3.4. My old server (FreeBSD-9.3) is running dovecot-2.3.4 as well. The configurations are 1:1 identical. The are about 250 users on this server, all virtual. They are mostly POP3 users, but they do "leave a copy of message on the server" for set various number of days.
Now, to migrate the mail data, can I simply rsync the mail directories between the old and the new server? Would that create a pitfall??
What is the recommended method?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
On 2/17/19 4:00 AM, Odhiambo Washington via dovecot wrote:
I have built a new server (FreeBSD-12) running dovecot-2.3.4. My old server (FreeBSD-9.3) is running dovecot-2.3.4 as well. The configurations are 1:1 identical. The are about 250 users on this server, all virtual. They are mostly POP3 users, but they do "leave a copy of message on the server" for set various number of days.
Now, to migrate the mail data, can I simply rsync the mail directories between the old and the new server? Would that create a pitfall??
What is the recommended method?
Consider re-posting your question in a NEW message, not a reply to another, unrelated thread. The type of people who are likely to know the answer are also likely to use threaded mail-readers, and will therefore not see your message.
Phil
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz <rgm@htt-consult.com>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?
Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:
# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
I just found an Argon2 binary for CentOS7:
Installing: argon2 armv7hl 20161029-2.el7 epel 22 k Installing for dependencies: libargon2 armv7hl 20161029-2.el7 epel 26 k
How do I get Dovecot 2.2 to use it?
On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: [...] default_pass_scheme = SHAxxx-CRYPT [...]
How do your users change their password ?
Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)
$config['password_algorithm'] = 'dovecot';
$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
$config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";
I left other fields alone.
Yassine.
On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:
On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: [...] default_pass_scheme = SHAxxx-CRYPT [...]
How do your users change their password ?
Many never do! Those that do, use the Roundcube plugin, or ask me to change their password via the Postfixadmin manager. Sigh.
Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)
$config['password_algorithm'] = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";
I left other fields alone.
Yassine.
Thanks much better info than I was seeing in my googling. Except I would not use %p:
// The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address)
%D seems to be what I want...
And in mysql, I believe the table is mailbox.
$rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u";
I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...
thanks!
On 2/20/19 3:28 PM, Robert Moskowitz via dovecot wrote:
Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)
$config['password_algorithm'] = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";
I left other fields alone.
Yassine.
Thanks much better info than I was seeing in my googling. Except I would not use %p:
// The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password [...]
%D seems to be what I want...
the rcmail_config[] syntax you pasted in your mail indicates you're using a very old version of roundcube. Here's the relevant content of my version of the password plugin :
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
// %p is replaced with the plaintext new password
// %P is replaced with the crypted/hashed new password
// according to configured password_method [...}
// Deprecated macros:
// %c is replaced with the crypt version of the new password, MD5 if available
// otherwise DES. More hash function can be enabled using the password_crypt_hash
// configuration parameter.
// %D is replaced with the dovecotpw-crypted version of the new password [...]
Notice the difference b/w %p and %P. Also notice that %D is marked as deprecated.
And in mysql, I believe the table is mailbox.
Oh that depends entirely on your choice of naming and what table structure you have chosen.
I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...
Ah, it seems Aki and I have already visited this link before ^^'
Yassine.
I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword) I do have a working checkpassword program. The protocol expects to received on fd 3 the following:
username<nul>password<nul>optionalstuff</null>
I find that this works properly and the program can authenticate if the client is using PLAIN LOGIN. Both username and password are sent on fd3. But, if the client has specified kerberos/gssapi authentication then only the username is passed to checkpassword. The following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes):
len 12: 636861726d61696e65000000 charmaine... User: [charmaine], PW: []
Without a password, checkpassword returns failure.
I am running dovecot in a Samba4 Active Directory. I have some email clients that use kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). All users, however, are active directory domain users and all could potentially authenticate with AD credentials.
I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as their AD credentials, which become a bit of a pain when the user changes his domain password.
Why does not dovecot pass to checkpassword the user's password? When I tried this a few years ago I thought it did.
If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?
Is there a solution to this?
THX --Mark
participants (13)
-
@lbutlr
-
Aki Tuomi
-
Jean-Daniel Dupas
-
Leonardo Rodrigues
-
Marc Weustink
-
Marc Weustink
-
Mark Foley
-
Matthias Fechner
-
Michael Slusarz
-
Odhiambo Washington
-
Phil Turmel
-
Robert Moskowitz
-
Yassine Chaouche