Dovecot and MariaDB/MySQL
Michael A. Peters
mpeters at domblogger.net
Wed Jan 11 07:45:39 UTC 2017
Howdy -
For most of my dovecot servers, they are small and I just use unix accounts.
However I am going to be running a new server for more general users,
webmail (probably roundcube but I'm hacking roundcube quite a bit,
enough that I'm calling it squarepeg instead so users familiar with
roundcube will know it is quite different) and it will use MariaDB for
account management.
I already have it working, following the instructions at
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql-on-centos-5/
- those instructions also work in CentOS 7 with the latest Dovecot - but
there is something that really bothers me.
It makes no provision for salting the password before the crypt function.
What I would like to do is when creating a new account, use /dev/urandom
to generate a random salt for the account that is stuck in the database
along with the account and used when validating the password.
That way in the event of a SQL injection attack that dumps the database
- yes it is still bad, but 20 accounts that have the same password will
have radically different hashes and thus won't be a clue that they are
the same, the blackhat that gets the database dump would have to
generate a rainbow table for each unique salt.
I've looked at at least a dozen different Dovecot / MariaDB howto guides
and none of the ones I have looked at supported any kind of individual
salting of the user passwords.
Can someone point me to a guide that does?
I don't mind keeping the salt in the database, I just want to be able to
have a different salt for each account.
Thank you
More information about the dovecot
mailing list