Using SHA256/512 for SQL based password
Robert Moskowitz
rgm at htt-consult.com
Wed Feb 20 16:28:42 EET 2019
On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:
> On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
>> I have trying to find how to set the dovecot-sql.conf for using
>> SHA256/512. I am going to start clean with the stronger format, not
>> migrate from the old MD5. It seems all I need is:
>> [...] default_pass_scheme = SHAxxx-CRYPT [...]
>
> How do your users change their password ?
>
Many never do! Those that do, use the Roundcube plugin, or ask me to
change their password via the Postfixadmin manager. Sigh.
> Here's how I configured my roundcube's password plugin to keep things
> together ($roundcubefolder/plugins/password/config.php)
>
> $config['password_algorithm'] = 'dovecot';
> $config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
> $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
> $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";
>
> I left other fields alone.
>
> Yassine.
>
Thanks much better info than I was seeing in my googling. Except I
would not use %p:
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as
follows:
// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if
available
// otherwise DES.
// %D is replaced with the dovecotpw-crypted version of the new password
// %o is replaced with the password before the change
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)
%D seems to be what I want...
And in mysql, I believe the table is mailbox.
$rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u";
I got from:
https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/
thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/c60d6701/attachment.html>
More information about the dovecot
mailing list