Using SHA256/512 for SQL based password

Yassine Chaouche a.chaouche at algerian-radio.dz
Wed Feb 20 17:12:57 EET 2019 

On 2/20/19 3:28 PM, Robert Moskowitz via dovecot wrote:
>
>> Here's how I configured my roundcube's password plugin to keep things 
>> together ($roundcubefolder/plugins/password/config.php)
>>
>> $config['password_algorithm']        = 'dovecot';
>> $config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
>> $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
>> $config['password_query']            = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1";
>>
>> I left other fields alone.
>>
>> Yassine.
>>
> Thanks much better info than I was seeing in my googling.  Except I 
> would not use %p:
>
> // The SQL query used to change the password.
> // The query can contain the following macros that will be expanded as 
> follows:
> // %p is replaced with the plaintext new password
> // %c is replaced with the crypt version of the new password, MD5 if 
> available
> // otherwise DES.
> // %D is replaced with the dovecotpw-crypted version of the new password
> [...]
>
> %D seems to be what I want...
>
the rcmail_config[] syntax you pasted in your mail indicates you're 
using a very old version of roundcube. Here's the relevant content of my 
version of the password plugin :

// The SQL query used to change the password.

// The query can contain the following macros that will be expanded as follows:

//      %p is replaced with the plaintext new password

//      %P is replaced with the crypted/hashed new password

//         according to configured password_method
[...}

// Deprecated macros:

//      %c is replaced with the crypt version of the new password, MD5 if available

//         otherwise DES. More hash function can be enabled using the password_crypt_hash

//         configuration parameter.

//      %D is replaced with the dovecotpw-crypted version of the new password
[...]


Notice the difference b/w %p and %P. Also notice that %D is marked as 
deprecated.


> And in mysql, I believe the table is mailbox.
>
Oh that depends entirely on your choice of naming and what table 
structure you have chosen.
>
> I got from: 
> https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/
>
Ah, it seems Aki and I have already visited this link before ^^'

Yassine.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/684c84e7/attachment.html>

More information about the dovecot mailing list