[Dovecot] Postfix/mysql/dovecot - Understanding password encryption
Robert Moskowitz
rgm at htt-consult.com
Tue Dec 25 04:03:40 EET 2012
On 12/24/2012 04:54 PM, Reindl Harald wrote:
>
> Am 24.12.2012 22:44, schrieb Robert Moskowitz:
>> On 12/24/2012 04:26 PM, Robert Moskowitz wrote:
>>> I am switching from a fedora/postfix/mysql/couriermail/squirrelmail to Centos/.../dovecot/roundcubemail and
>>> adding postfixadmin to the mix.
>>>
>>> My tutorial before was an earlier version (on F14) of:
>>>
>>> http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-centos-6.2-x86_64
>>>
>>> Now I am using
>>>
>>> http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer
>>>
>>> to get me started. I am up to roundcubemail setup and am stumbling to understand what the author here is doing
>>> with encrypted passwords, so felt it was time to delve deeper into this.
>>>
>>> My old setup uses mysql-crypt for the password.
>>>
>>> MYSQL_CRYPT_PWFIELD password
>>>
>>> and users could be added to the table with:
>>>
>>> INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('sales at example.com', ENCRYPT('secret'), 10485760);
>>>
>>> But where this was all simple and no choices, I get to figure out what to do with my dovecot setup.
>>>
>>> Some of the 'secret' is hinted at in postfixadmin's config.inc.php:
>>>
>>> // Encrypt
>>> // In what way do you want the passwords to be crypted?
>>> // md5crypt = internal postfix admin md5
>>> // md5 = md5 sum of the password
>>> // system = whatever you have set as your PHP system default
>>> // cleartext = clear text passwords (ouch!)
>>> // mysql_encrypt = useful for PAM integration
>>> // authlib = support for courier-authlib style passwords
>>> // dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
>>> $CONF['encrypt'] = 'md5crypt';
>>>
>>> Where is there information on the different choices and how to choose.
>>>
>>> Is it as 'simple' as setting up postfixadmin to control the password encryption format then 'inform' dovecot in
>>> the dovecot-mysql.conf with
>>>
>>> default_pass_scheme = MD5-CRYPT
>>>
>> Oh, the dovecot.conf has the line:
>>
>> auth_mechanisms = plain login
>> Which adds to my confusion.
> maybe you should read some basic documentations
> see the large bumber of your posts on dovecot/postfix list
> and that i was able to setup my first mailserver years ago
> with only reading the docs and subcribe for mailing-lists
> a year later it feels like you try to replace reading
> manuals with posting basic questions
With all due respect, the manuals have grown over the years. I have
spent time over the past month going through the manuals and putting
together notes. Then I have gone through a few tutorials to get some
lessons learned from others. Some tools like postfixadmin do a lot more
than what I need, so I am plowing through extra stuff. You ask, why use
postfixadmin and not just build it from scratch? I have a few domains
and others are responsible for those domains. The tool I used before was
difficult for multiple admins. My reading on postfixadmin make rather
attractive. Then follows a lot of other stuff.
Challenge is, I can only put a couple hours a day in on this. Like many
here I have other assignments.
I do appreciate your help; I try to help (mostly on other lists) where I
can. But my expertise in secure data communications is rather specialized.
>
> auth-mech = client/server
>
> start with
> * http://wiki.dovecot.org/
> * http://wiki.dovecot.org/Authentication/Mechanisms
> * http://www.postfix.org/documentation.html
>
>>> // cleartext = clear text passwords (ouch!)
> if you want / need to provide different auth-mchs you may have
> no other option because the server will not be able to generate
> the data for CRAM-MD5/MD5-DIGEST from a hashed column
>
> this is also eplained here
> http://wiki.dovecot.org/Authentication/Mechanisms
>
More information about the dovecot
mailing list