[Dovecot] How to authenticate against SQL DB with custom-ciphered passwords?

Fri Sep 27 18:13:40 EEST 2013

On 26.9.2013, at 10.01, Nicolay Vizovitin <vizovitin at gmail.com> wrote:

> I'm about to start developing authentication/password-scheme module for
> Dovecot. So I would like to get some advice before actually committing to
> doing things in particular way. Hope somebody will be able to help me :)
> 
> For the record, I am currently targeting latest stable Dovecot version
> 2.2.5.
> 
> I have an SQL DB with mail users' authentication data. Passwords are stored
> either encrypted via system crypt(3) or ciphered with some custom algorithm
> (think something symmetrical like AES, so passwords can be decrypted into
> plain form). I want to use this DB as both userdb and passdb backend. The
> issue, of course, is with ciphered passwords support.
> 
> 1) Is it feasible to just implement a new password scheme for ciphered
> passwords support and still use stock passdb driver in Dovecot for SQL DB
> access?

Plugins can implement new password schemes. http://dovecot.org/patches/password-scheme-lmpass.c is an example, although I'm not sure if it compiles with v2.2.

> So that passwords in this scheme would be treated as PLAIN (in a
> sense that both cleartext and shared secret authentication methods would
> work).

You could do that in a slightly ugly way by setting password_generate=plain_generate(), so password_scheme_is_alias() returns TRUE for that.

> 2) Provided I implement custom password scheme for ciphered passwords, what
> is the best way to be capable to perform authentication against both
> ciphered and encrypted passwords? Ciphered and encrypted passwords are
> stored in different fields of SQL table (one of them is NULL when the other
> one is set).
>    a) Do I define two passdb clauses with their own default_pass_scheme
> (equal to my new scheme or CRYPT for encrypted passwords) and use fallback
> to effectively check both of them?
>    b) Do I modify SQL query so that it prefixes existing password with
> correct scheme (I'm not sure this will be easy enough to do)?

By "ciphered" I understand you mean encrypted, and by "encrypted" you mean hashed.. Scheme prefix would work, mysql and postgresql have complex enough string manipulation functions to make this possible I think.

> 3) Is it mandatory to provide password generation routine for custom
> password scheme? When it will be used?

doveadm pw command would use it for example. But as mentioned, you should set it to plain_generate.

> 4) Maybe it's better to just implement a plugin that serves as both userdb
> and passdb driver (in other words a kind of generic authentication module)?
> What are advantages and disadvantages of each method - custom password
> scheme + stock SQL driver VS. custom userdb and passdb driver? Fortunately,
> I already have all the required credentials lookup and verification code.
> So in any case the question is only in figuring out suitable Dovecot APIs
> and integrating the existing code.

Implementing yet another sql passdb sounds like quite a lot of work.

> 7) Somewhat unrelated question: what is the best way to test IMAP (and
> maybe POP3 as well) server performance and compare it to another server?
> I'm interested in both login performance (the part I will influence) and
> performance with many mails in mailbox. I heard imaptest is suitable for
> this task. Are there any recipes or example testing scenarios you might
> share? ;)

There are only bad non-realistic benchmarks available currently. With imaptest you can easily test the login performance though:

imaptest user=test%d.%d - select=0 clients=100