Using SHA256/512 for SQL based password

newer
Sieve vnd.dovecot.filter hanging...

Robert Moskowitz

12 Feb 2019 12 Feb '19

6:05 p.m.

I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is:

driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1'

where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?

thanks

Attachments:

attachment.html (text/html — 1.5 KB)

Show replies by date

Leonardo Rodrigues

12 Feb 12 Feb

7:24 p.m.

Here i have SSHA256 working with:

default_pass_scheme = PLAIN

and my database scheme just received the hashed password prefixed by the SSHA indicator, just like:

mysql> select * from emails where endereco = 'solutti@XXXXXXXXX'\G *************************** 1. row *************************** endereco: solutti@XXXXXXXXXXXXXX password: {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx quota: 51200

Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu:

...

I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?

thanks

Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it

Aki Tuomi

7:38 p.m.

...

On 12 February 2019 at 19:24 Leonardo Rodrigues via dovecot dovecot@dovecot.org wrote:

Here i have SSHA256 working with:

default_pass_scheme = PLAIN

and my database scheme just received the hashed password prefixed by the SSHA indicator, just like:

mysql> select * from emails where endereco = 'solutti@XXXXXXXXX'\G *************************** 1. row *************************** endereco: solutti@XXXXXXXXXXXXXX password: {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx quota: 51200

Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start?

thanks

--

Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it

You can use {CRYPT} prefix in the password field, this will cover both SHA256 and SHA512, unless you want to be explicit about which one it is.

The .HEX thing is not usually needed.

Aki

Matthias Fechner

13 Feb 13 Feb

1:03 a.m.

Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...

I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is:

you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Gruß Matthias

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook

Robert Moskowitz

1:33 a.m.

On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...

Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Recommended by whom?

Can you provide a link?

And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Michael Slusarz

2:16 a.m.

...

On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Recommended by whom?

Can you provide a link?

https://password-hashing.net/

michael

Robert Moskowitz

2:36 a.m.

On 2/12/19 7:16 PM, Michael Slusarz via dovecot wrote:

...

...
On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? https://password-hashing.net/

Thank you very interesting. I will read draft-irtf-cfrg-argon2-04.txt

And see the comments on the cfrg list. Russ Housley had concerns about the 03 draft; I will have to see if they are addressed in the 04 draft.

I really don't like SHA512, a bit of a hack that was rushed out before SHA3.

Matthias Fechner

8:23 a.m.

Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...

On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Recommended by whom?

Can you provide a link?

Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...

And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Gruß Matthias

Robert Moskowitz

3:18 p.m.

On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...

Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Recommended by whom?

Can you provide a link?

Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

Aki Tuomi

3:30 p.m.

On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...

On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments.

Recommended by whom?

Can you provide a link?

Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

Aki

Robert Moskowitz

3:54 p.m.

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...

On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

Jean-Daniel Dupas

5:53 p.m.

...

Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot dovecot@dovecot.org a écrit :

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: > I have trying to find how to set the dovecot-sql.conf for using > SHA256/512. I am going to start clean with the stronger format, not > migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org repo:

# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Robert Moskowitz

8:05 p.m.

On 2/13/19 10:53 AM, Jean-Daniel Dupas via dovecot wrote:

...

...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot mailto:dovecot@dovecot.org> a écrit :

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz mailto:rgm@htt-consult.com>:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: > Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512. I am going to start clean with the stronger >> format, not >> migrate from the old MD5. It seems all I need is: > you maybe would like to have a look to the hashing algo ARGON2I > which is > currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org http://dovecot.org repo:

# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

For those with dovecot v 2.3....

I will note this for the future.

Marc Weustink

14 Feb 14 Feb

3:39 p.m.

Jean-Daniel Dupas via dovecot wrote:

...

...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot mailto:dovecot@dovecot.org> a écrit :

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz mailto:rgm@htt-consult.com>:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: > Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512. I am going to start clean with the stronger format, not >> migrate from the old MD5. It seems all I need is: > you maybe would like to have a look to the hashing algo ARGON2I > which is > currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org http://dovecot.org repo:

# doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org http://dovecot.org repo:

doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I

????

Marc

Odhiambo Washington

17 Feb 17 Feb

10:38 a.m.

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot dovecot@dovecot.org wrote:

...

Jean-Daniel Dupas via dovecot wrote:

...
...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot mailto:dovecot@dovecot.org> a écrit :

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz mailto:rgm@htt-consult.com>:

> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>> I have trying to find how to set the dovecot-sql.conf for using >>> SHA256/512. I am going to start clean with the stronger format,

not

...
...
...
...
...
>>> migrate from the old MD5. It seems all I need is: >> you maybe would like to have a look to the hashing algo ARGON2I >> which is >> currently recommended for new developments and deployments. > Recommended by whom? > > Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

> > And if I was adventurous about hashes, I would be looking more at > Keccak. > > > Check out my Internet Draft: > > > draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org http://dovecot.org repo:

# doveadm pw -s ARGON2I -p secret

{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org http://dovecot.org repo:

doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I

????

Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

Aki Tuomi

10:46 a.m.

Aki Tuomi

19 Feb 19 Feb

8:50 a.m.

On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:

...

...
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

...
Jean-Daniel Dupas via dovecot wrote:

...
...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org
dovecot@dovecot.org mailto:dovecot@dovecot.org>> a écrit :

...
...
...
...
...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

I'll check next week if and why argon is missing from ce packages.

Aki Tuomi

Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.

Aki

Marc Weustink

10:25 a.m.

Aki Tuomi via dovecot wrote:

...

On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:

...
...
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

...
Jean-Daniel Dupas via dovecot wrote:

...
...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org
dovecot@dovecot.org mailto:dovecot@dovecot.org>> a écrit :

...
...
...
...
> ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

I'll check next week if and why argon is missing from ce packages.

Aki Tuomi

Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.

Ah, thanks for the clarification. Still running Ubuntu 16 here.

Marc

Robert Moskowitz

20 Feb 20 Feb

3:10 p.m.

On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:

...

On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:

...
...
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

...
Jean-Daniel Dupas via dovecot wrote:

...
...
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org
dovecot@dovecot.org mailto:dovecot@dovecot.org>> a écrit :

...
...
...
...
> ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

CentOS7 is on dovecot 2.2.36:

# doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2

I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

I'll check next week if and why argon is missing from ce packages.

Aki Tuomi

Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.

libsodium does not help with CentOS7 and Dovecot 2.3:

Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1

Installed: libsodium.armv7hl 0:1.0.17-1.el7

Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Previously installed argon2:

grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl

Aki Tuomi

3:38 p.m.

...

On 20 February 2019 15:10 Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:

...
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:

...
...
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org> wrote:

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>

wrote:

...
Jean-Daniel Dupas via dovecot wrote:

...
...
...
> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot

...
> < dovecot@dovecot.org > a écrit :

...
>

...
>

...
>

...
>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled

...
>> when compiling dovecot, so varying from packagers it might or not be

...
>> available. The CRYPT ones are available if crypt(3) supports them. In

...
>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)

support.

...
>

...
> CentOS7 is on dovecot 2.2.36:

...
>

...
> # doveadm pw -s ARGON2-CRYPT -p secret

...
> Fatal: Unknown scheme: ARGON2-CRYPT

...
> # doveadm pw -s ARGON2 -p secret

...
> Fatal: Unknown scheme: ARGON2

...
>

...
> I tend to stay with the distro's rpms and not take on building and

...
> maintaining myself.

...
...
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm

pw -l )

...
With dovecot from the dovecot.org < http://dovecot.org> repo:

...
# doveadm pw -s ARGON2I -p secret

{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

...
Also from dovecot.org < http://dovecot.org> repo:

...
doveadm pw -s ARGON2I -p secret

Fatal: Unknown scheme: ARGON2I

...
????

...
Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret

{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

--

Best regards,

Odhiambo WASHINGTON,

Nairobi,KE

+254 7 3200 0004/+254 7 2274 3223

"Oh, the cruft.", grep ^[^#] :-)

I'll check next week if and why argon is missing from ce packages.

Aki Tuomi

Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.

libsodium does not help with CentOS7 and Dovecot 2.3:

Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1

Installed: libsodium.armv7hl 0:1.0.17-1.el7

Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Previously installed argon2:

grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl

Hi!

Just installing libsodium is not enough. It's not compiled into dovecot centos7 packages because the libsodium in centos7 (not epel) is not recent enough.

Aki

Robert Moskowitz

3:54 p.m.

On 2/20/19 8:38 AM, Aki Tuomi wrote:

...

...
On 20 February 2019 15:10 Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:

...
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:

...
...
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org> wrote:

On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>

wrote:

...
Jean-Daniel Dupas via dovecot wrote:

>> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot

>> < dovecot@dovecot.org > a écrit :

>>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled

>>> when compiling dovecot, so varying from packagers it might or not be

>>> available. The CRYPT ones are available if crypt(3) supports them. In

>>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)

support.

>> CentOS7 is on dovecot 2.2.36:

>> # doveadm pw -s ARGON2-CRYPT -p secret

>> Fatal: Unknown scheme: ARGON2-CRYPT

>> # doveadm pw -s ARGON2 -p secret

>> Fatal: Unknown scheme: ARGON2

>> I tend to stay with the distro's rpms and not take on building and

>> maintaining myself.

> And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm >
> pw -l )

> With dovecot from the dovecot.org < http://dovecot.org> repo:

> # doveadm pw -s ARGON2I -p secret

{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

...
Also from dovecot.org < http://dovecot.org> repo:

...
doveadm pw -s ARGON2I -p secret

Fatal: Unknown scheme: ARGON2I

...
????

...
Marc

It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret

{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU

--

Best regards,

Odhiambo WASHINGTON,

Nairobi,KE

+254 7 3200 0004/+254 7 2274 3223

"Oh, the cruft.", grep ^[^#] :-)

I'll check next week if and why argon is missing from ce packages.

Aki Tuomi

Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.

libsodium does not help with CentOS7 and Dovecot 2.3:

Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1

Installed: libsodium.armv7hl 0:1.0.17-1.el7

Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Previously installed argon2:

grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl

Hi!

Just installing libsodium is not enough. It's not compiled into dovecot centos7 packages because the libsodium in centos7 (not epel) is not recent enough.

It was worth the try....

＠lbutlr

4:06 p.m.

On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

...

libsodium does not help with CentOS7 and Dovecot 2.3:

This is what your HTML message looks like here:

<https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%20...

-- the nasty little sound of a sword being unsheathed right behind one at just the point when one thought one had disposed of one's enemies [...] It was that kind of laugh. --Equal Rites

Robert Moskowitz

4:11 p.m.

On 2/20/19 9:06 AM, @lbutlr via dovecot wrote:

...

On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot dovecot@dovecot.org wrote:

...
libsodium does not help with CentOS7 and Dovecot 2.3: This is what your HTML message looks like here:

<https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%20...

Thunderbird 60.4 on Fedora 28....

Odhiambo Washington

17 Feb 17 Feb

11 a.m.

New subject: Migrate Mail Data from Dovecot to Dovecot

I have built a new server (FreeBSD-12) running dovecot-2.3.4. My old server (FreeBSD-9.3) is running dovecot-2.3.4 as well. The configurations are 1:1 identical. The are about 250 users on this server, all virtual. They are mostly POP3 users, but they do "leave a copy of message on the server" for set various number of days.

Now, to migrate the mail data, can I simply rsync the mail directories between the old and the new server? Would that create a pitfall??

What is the recommended method?

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

Phil Turmel

4:03 p.m.

New subject: Migrate Mail Data from Dovecot to Dovecot

On 2/17/19 4:00 AM, Odhiambo Washington via dovecot wrote:

...

I have built a new server (FreeBSD-12) running dovecot-2.3.4. My old server (FreeBSD-9.3) is running dovecot-2.3.4 as well. The configurations are 1:1 identical. The are about 250 users on this server, all virtual. They are mostly POP3 users, but they do "leave a copy of message on the server" for set various number of days.

Now, to migrate the mail data, can I simply rsync the mail directories between the old and the new server? Would that create a pitfall??

What is the recommended method?

Consider re-posting your question in a NEW message, not a reply to another, unrelated thread. The type of people who are likely to know the answer are also likely to use threaded mail-readers, and will therefore not see your message.

Phil

Robert Moskowitz

13 Feb 13 Feb

4:03 p.m.

On 2/13/19 8:30 AM, Aki Tuomi wrote:

...

On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:

...
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:

...
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz rgm@htt-consult.com:

...
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:

...
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom?

Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

...
And if I was adventurous about hashes, I would be looking more at Keccak.

Check out my Internet Draft:

draft-moskowitz-small-crypto-00.txt

Thanks for the tip, will have a look for into it.

Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength).

Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system:

# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT

Of course SHA3 is not listed either...

ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.

I just found an Argon2 binary for CentOS7:

Installing: argon2 armv7hl 20161029-2.el7 epel 22 k Installing for dependencies: libargon2 armv7hl 20161029-2.el7 epel 26 k

How do I get Dovecot 2.2 to use it?

Aki Tuomi

4:17 p.m.

Yassine Chaouche

20 Feb 20 Feb

12:09 p.m.

On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:

...

I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: [...] default_pass_scheme = SHAxxx-CRYPT [...]

How do your users change their password ?

Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)

$config['password_algorithm'] = 'dovecot';

$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';

$config['password_dovecotpw_method'] = 'SHA512-CRYPT';

$config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";

I left other fields alone.

Yassine.

Robert Moskowitz

4:28 p.m.

On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:

...

On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:

...
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: [...] default_pass_scheme = SHAxxx-CRYPT [...]

How do your users change their password ?

Many never do! Those that do, use the Roundcube plugin, or ask me to change their password via the Postfixadmin manager. Sigh.

...

Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)

$config['password_algorithm'] = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";

I left other fields alone.

Yassine.

Thanks much better info than I was seeing in my googling. Except I would not use %p:

// The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address)

%D seems to be what I want...

And in mysql, I believe the table is mailbox.

$rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u";

I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...

thanks!

Yassine Chaouche

5:12 p.m.

On 2/20/19 3:28 PM, Robert Moskowitz via dovecot wrote:

...

...
Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php)

$config['password_algorithm'] = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";

I left other fields alone.

Yassine.

Thanks much better info than I was seeing in my googling. Except I would not use %p:

// The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password [...]

%D seems to be what I want...

the rcmail_config[] syntax you pasted in your mail indicates you're using a very old version of roundcube. Here's the relevant content of my version of the password plugin :

// The SQL query used to change the password.

// The query can contain the following macros that will be expanded as follows:

// %p is replaced with the plaintext new password

// %P is replaced with the crypted/hashed new password

// according to configured password_method [...}

// Deprecated macros:

// %c is replaced with the crypt version of the new password, MD5 if available

// otherwise DES. More hash function can be enabled using the password_crypt_hash

// configuration parameter.

// %D is replaced with the dovecotpw-crypted version of the new password [...]

Notice the difference b/w %p and %P. Also notice that %D is marked as deprecated.

...

And in mysql, I believe the table is mailbox.

Oh that depends entirely on your choice of naming and what table structure you have chosen.

...

I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...

Ah, it seems Aki and I have already visited this link before ^^'

Yassine.

Mark Foley

21 Feb 21 Feb

6:50 p.m.

New subject: Authenticating with checkpassword

I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword) I do have a working checkpassword program. The protocol expects to received on fd 3 the following:

username<nul>password<nul>optionalstuff</null>

I find that this works properly and the program can authenticate if the client is using PLAIN LOGIN. Both username and password are sent on fd3. But, if the client has specified kerberos/gssapi authentication then only the username is passed to checkpassword. The following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes):

len 12: 636861726d61696e65000000 charmaine... User: [charmaine], PW: []

Without a password, checkpassword returns failure.

I am running dovecot in a Samba4 Active Directory. I have some email clients that use kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). All users, however, are active directory domain users and all could potentially authenticate with AD credentials.

I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as their AD credentials, which become a bit of a pain when the user changes his domain password.

Why does not dovecot pass to checkpassword the user's password? When I tried this a few years ago I thought it did.

If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?

Is there a solution to this?

THX --Mark

2048

Age (days ago)

2057

Last active (days ago)

List overview

30 comments

13 participants

participants (13)

＠lbutlr
Aki Tuomi
Jean-Daniel Dupas
Leonardo Rodrigues
Marc Weustink
Marc Weustink
Mark Foley
Matthias Fechner
Michael Slusarz
Odhiambo Washington
Phil Turmel
Robert Moskowitz
Yassine Chaouche