Using SHA256/512 for SQL based password

Aki Tuomi aki.tuomi at open-xchange.com
Tue Feb 12 19:38:25 EET 2019 

> On 12 February 2019 at 19:24 Leonardo Rodrigues via dovecot <dovecot at dovecot.org> wrote:
> 
> 
> 
>      Here i have SSHA256 working with:
> 
> default_pass_scheme = PLAIN
> 
>      and my database scheme just received the hashed password prefixed 
> by the SSHA indicator, just like:
> 
> mysql> select * from emails where endereco = 'solutti at XXXXXXXXX'\G
> *************************** 1. row ***************************
>                endereco: solutti at XXXXXXXXXXXXXX
>                password: 
> {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>                   quota: 51200
> 
> 
> 
> 
> Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu:
> > I have trying to find how to set the dovecot-sql.conf for using 
> > SHA256/512.  I am going to start clean with the stronger format, not 
> > migrate from the old MD5.  It seems all I need is:
> > driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix 
> > user=postfix password=$Postfix_Database_Password default_pass_scheme = 
> > SHAxxx-CRYPT # following should all be on one line. password_query = 
> > SELECT username as user, password, concat('/home/vmail/', maildir) as 
> > userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 
> > 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' 
> > AND active = '1' # following should all be on one line user_query = 
> > SELECT concat('/home/vmail/', maildir) as home, 
> > concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS 
> > gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM 
> > mailbox WHERE username = '%u' AND active = '1'
> > where xxx is either 256 or 512. All the rest I have been finding in my 
> > searches concern converting the format and are not needed for a clean 
> > start?
> >
> > thanks
> >
> >
> 
> 
> -- 
> 
> 
> 	Atenciosamente / Sincerily,
> 	Leonardo Rodrigues
> 	Solutti Tecnologia
> 	http://www.solutti.com.br
> 
> 	Minha armadilha de SPAM, NÃO mandem email
> 	gertrudes at solutti.com.br
> 	My SPAMTRAP, do not email it
> 
> 
>

You can use {CRYPT} prefix in the password field, this will cover both SHA256 and SHA512, unless you want to be explicit about which one it is.

The .HEX thing is not usually needed.

Aki

More information about the dovecot mailing list