Percent character in mail_crypt_private_password not possible
Hello,
I am using the mail_crypt plugin with Dovecot 2.3 and have issues trying to use a mail crypt private password which contains a percent "%" character as you can see below:
$ doveadm -o plugin/mail_crypt_private_password=SomethingWith\%Percent mailbox cryptokey generate -u email@domain.tld -URf
doveadm(email@domain.tld): Error: Failed to expand plugin setting mail_crypt_private_password = 'SomethingWith%Percent': Unknown variable '%P'
Note here that the percent is escaped with a backslash "\%" in order for the shell not to process it.
Regards, Mabi
Hello,
I am using the mail_crypt plugin with Dovecot 2.3 and have issues trying to use a mail crypt private password which contains a percent "%" character as you can see below:
$ doveadm -o plugin/mail_crypt_private_password=SomethingWith\%Percent mailbox cryptokey generate -u email@domain.tld -URf
doveadm(email@domain.tld): Error: Failed to expand plugin setting mail_crypt_private_password = 'SomethingWith%Percent': Unknown variable '%P'
Note here that the percent is escaped with a backslash "\%" in order for the shell not to process it.
Regards, Mabi
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Aki
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Hi Aki,
Thank you very much for your very fast answer. I will then simply double the percent character as workaround for now as you suggest.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Hi Aki,
Thank you very much for your very fast answer. I will then simply double the percent character as workaround for now as you suggest.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Hi Aki,
Thank you very much for your very fast answer. I will then simply double the percent character as workaround for now as you suggest.
butterfingers me, sending empty replies..
I don't actually recommend using password *directly* from user as password for private keys, I recommend running them thru some hash / pkcs5 before that.
Aki
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that.
That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password?
SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.
On 2.7.2019 23.27, mabi wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password?
SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.
It depends. You can use either one, see https://wiki2.dovecot.org/Variables
I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP.
Aki
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP.
Good point regarding LDAP but right now I am using PostgreSQL as backend for storing my accounts and use the following "password_query" parameter:
password_query = SELECT username AS user, password, '%w' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
So based on the Dovecot Variables wiki documentation you mention I could adapt my "password_query" parameter to the following in order to use a SHA512 hash of the password:
password_query = SELECT username AS user, password, '%{sha512:w}' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
is this correct?
I am also not sure about sha512 hash because the Dovecot Variable wiki page does not mention sha512 but only sha256. Is sha512 also available?
On 4.7.2019 16.05, mabi via dovecot wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot dovecot@dovecot.org wrote:
It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP. Good point regarding LDAP but right now I am using PostgreSQL as backend for storing my accounts and use the following "password_query" parameter:
password_query = SELECT username AS user, password, '%w' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
So based on the Dovecot Variables wiki documentation you mention I could adapt my "password_query" parameter to the following in order to use a SHA512 hash of the password:
password_query = SELECT username AS user, password, '%{sha512:w}' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
is this correct?
I am also not sure about sha512 hash because the Dovecot Variable wiki page does not mention sha512 but only sha256. Is sha512 also available?
Yes
Aki
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 3:10 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
I am also not sure about sha512 hash because the Dovecot Variable wiki page does not mention sha512 but only sha256. Is sha512 also available?
Yes
Thank you Aki for confirming. I tried it out and it works but I needed to use "%{sha512:password}" instead of "%{sha512:w}". That's a nice feature of Dovecot!
Now all I still need to do is to change the password of my user's crypto keypair to the SHA512 hash of their login password and that's it.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Aki, I was wondering, does this bug also affect the changing of a cryptokey password using this command:
$ doveadm mailbox cryptokey password -u email@domain.tld -n NEW%PASSWORD -o OLD%PASSWORD
Do I need here also to double the '%' char in the -n (new password) and -o (old password) parameters ?
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this.
Aki, I was wondering, does this bug also affect the changing of a cryptokey password using this command:
$ doveadm mailbox cryptokey password -u email@domain.tld -n NEW%PASSWORD -o OLD%PASSWORD
Do I need here also to double the '%' char in the -n (new password) and -o (old password) parameters ?
Not needed here, no.
Aki
participants (2)
-
Aki Tuomi
-
mabi