Multiple passwords with sql authentication
Rick Romero
rick at havokmon.com
Wed Jul 23 16:07:17 UTC 2014
Quoting BlackVoid <blackvoid+dovecot at fantas.in>:
> I'm currently working on a control panel which is using postfix, dovecot
> and other applications and I want to add application specific passwords
> to increase security.
>
> I found one solution [1], however it requires the password to be
> included in the query which is something I do not want to do, because
> the query may be written in clear-text to log-files. So I'm wondering if
> there is a way to have multiple passwords with dovecot without risking
> passwords being leakied in clear-text to log-files.
>
>
[1]http://wiki2.dovecot.org/AuthDatabase/SQL#Password_verification_by_SQL_server
You can run your query by host (or port - not sure if that variable is
available in the query) and make it complex..
For example - (MySQL)
SELECT if ('%r'!='127.0.0.1', webmail_pass, enc_password) as password from
user where userid = %u
http://komlenic.com/254/mysql-nested-if-in-select-queries/
If you're using Dovecot as an auth backend for your control panel, I'd use
a custom port only accessible from the web server(s) like 145 for
IMAP+Control Panel.
Rick
More information about the dovecot
mailing list