<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 13 February 2019 at 16:03 Robert Moskowitz via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 2/13/19 8:30 AM, Aki Tuomi wrote:
</div>
<blockquote type="cite">
<div>
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
</div>
<div>
>
</div>
</blockquote>
<div>
>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
</div>
<div>
>>>
</div>
<div>
>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
</div>
<div>
>>> <
<a href="mailto:rgm@htt-consult.com">rgm@htt-consult.com</a>>:
</div>
<div>
>>>
</div>
<div>
>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
</div>
<div>
>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
</div>
<div>
>>>>>> I have trying to find how to set the dovecot-sql.conf for using
</div>
<div>
>>>>>> SHA256/512. I am going to start clean with the stronger format, not
</div>
<div>
>>>>>> migrate from the old MD5. It seems all I need is:
</div>
<div>
>>>>> you maybe would like to have a look to the hashing algo ARGON2I
</div>
<div>
>>>>> which is
</div>
<div>
>>>>> currently recommended for new developments and deployments.
</div>
<div>
>>>> Recommended by whom?
</div>
<div>
>>>>
</div>
<div>
>>>> Can you provide a link?
</div>
<div>
>>> Sure, please see here:
</div>
<div>
>>>
<a href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet" rel="noopener" target="_blank">https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet</a>
</div>
<div>
>>>
</div>
<div>
>>>>
</div>
<div>
>>>> And if I was adventurous about hashes, I would be looking more at
</div>
<div>
>>>> Keccak.
</div>
<div>
>>>>
</div>
<div>
>>>>
</div>
<div>
>>>> Check out my Internet Draft:
</div>
<div>
>>>>
</div>
<div>
>>>>
</div>
<div>
>>>> draft-moskowitz-small-crypto-00.txt
</div>
<div>
>>> Thanks for the tip, will have a look for into it.
</div>
<div>
>> Keccak is a general hashing function. It was the first? of the
</div>
<div>
>> hashing 'sponge' functions, that many have followed. It is the basis
</div>
<div>
>> of SHA3 (at Keccak's greatest strength).
</div>
<div>
>>
</div>
<div>
>> Argon2 seems to be special-built for password hashing. Thing is it is
</div>
<div>
>> not supported on my CentOS7 system:
</div>
<div>
>>
</div>
<div>
>> # doveadm pw -l
</div>
<div>
>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
</div>
<div>
>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
</div>
<div>
>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
</div>
<div>
>> SHA256-CRYPT SHA512-CRYPT
</div>
<div>
>>
</div>
<div>
>> Of course SHA3 is not listed either...
</div>
<div>
>>
</div>
<div>
>>
</div>
<blockquote type="cite">
<div>
ARGON2 support is added in dovecot v2.3. It also needs to be enabled
</div>
<div>
when compiling dovecot, so varying from packagers it might or not be
</div>
<div>
available. The CRYPT ones are available if crypt(3) supports them. In
</div>
<div>
dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
</div>
</blockquote>
<div>
I just found an Argon2 binary for CentOS7:
</div>
<div>
<br>
</div>
<div>
Installing:
</div>
<div>
argon2 armv7hl 20161029-2.el7 epel 22 k
</div>
<div>
Installing for dependencies:
</div>
<div>
libargon2 armv7hl 20161029-2.el7 epel 26 k
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
How do I get Dovecot 2.2 to use it?
</div>
<div>
<br>
</div>
</blockquote>
<div>
You can use checkpassword. 2.2 has no argon2 support in itself.
</div>
<div class="io-ox-signature">
---
<br>Aki Tuomi
</div>
</body>
</html>