[Dovecot] How to authenticate against SQL DB with custom-ciphered passwords?

Nicolay Vizovitin vizovitin at gmail.com
Thu Sep 26 11:01:06 EEST 2013 

Hello,

I'm about to start developing authentication/password-scheme module for
Dovecot. So I would like to get some advice before actually committing to
doing things in particular way. Hope somebody will be able to help me :)

For the record, I am currently targeting latest stable Dovecot version
2.2.5.

I have an SQL DB with mail users' authentication data. Passwords are stored
either encrypted via system crypt(3) or ciphered with some custom algorithm
(think something symmetrical like AES, so passwords can be decrypted into
plain form). I want to use this DB as both userdb and passdb backend. The
issue, of course, is with ciphered passwords support.

1) Is it feasible to just implement a new password scheme for ciphered
passwords support and still use stock passdb driver in Dovecot for SQL DB
access? So that passwords in this scheme would be treated as PLAIN (in a
sense that both cleartext and shared secret authentication methods would
work).

2) Provided I implement custom password scheme for ciphered passwords, what
is the best way to be capable to perform authentication against both
ciphered and encrypted passwords? Ciphered and encrypted passwords are
stored in different fields of SQL table (one of them is NULL when the other
one is set).
    a) Do I define two passdb clauses with their own default_pass_scheme
(equal to my new scheme or CRYPT for encrypted passwords) and use fallback
to effectively check both of them?
    b) Do I modify SQL query so that it prefixes existing password with
correct scheme (I'm not sure this will be easy enough to do)?

3) Is it mandatory to provide password generation routine for custom
password scheme? When it will be used?

4) Maybe it's better to just implement a plugin that serves as both userdb
and passdb driver (in other words a kind of generic authentication module)?
What are advantages and disadvantages of each method - custom password
scheme + stock SQL driver VS. custom userdb and passdb driver? Fortunately,
I already have all the required credentials lookup and verification code.
So in any case the question is only in figuring out suitable Dovecot APIs
and integrating the existing code.

5) I have previously implemented similar custom authentication module for
Courier-IMAP (Courier-Authlib to be precise) to use the same SQL DB. And I
will need to support both IMAP servers for some time. So it is only natural
to expect some generic solution to be possible. I'd like to remind that I
need to be able to supply either encrypted password or deciphered plain
password, or just check against them. Is it possible to do so in a common
way? If so, what method should I use? I would expect SASL helping me out
here, but AFAIK, both Dovecot and Courier-IMAP can only serve as SASL
servers (providing authentication services), not clients.

6) I obviously care about providing enhanced security, especially against
stealing mail passwords. So any additional advice or related guidelines are
welcome.

7) Somewhat unrelated question: what is the best way to test IMAP (and
maybe POP3 as well) server performance and compare it to another server?
I'm interested in both login performance (the part I will influence) and
performance with many mails in mailbox. I heard imaptest is suitable for
this task. Are there any recipes or example testing scenarios you might
share? ;)

I would be grateful for any insight in these issues. If I chose a wrong
mailing list to post to, please feel free to correct me.

Thanks for your time! :)

--
Best regards,
Nick

More information about the dovecot mailing list