I have trying to find how to set the dovecot-sql.conf for using
SHA256/512.? I am going to start clean with the stronger format, not
migrate from the old MD5.? It seems all I need is:
driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix
user=postfix password=$Postfix_Database_Password default_pass_scheme =
SHAxxx-CRYPT # following should all be on one line. password_query =
SELECT username as user, password, concat('/home/vmail/', maildir) as
userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101
as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND
active = '1' # following should all be on one line user_query = SELECT
concat('/home/vmail/', maildir) as home,
concat('maildir:/home/vmail/',
maildir) as mail, 101 AS uid, 12 AS gid,
CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM mailbox
WHERE username = '%u' AND active = '1'
where xxx is either 256 or 512. All the rest I have been finding in my
searches concern converting the format and are not needed for a clean start?
thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190212/0c40d205/attachment.html>
??? Here i have SSHA256 working with:
default_pass_scheme = PLAIN
??? and my database scheme just received the hashed password prefixed
by the SSHA indicator, just like:
mysql> select * from emails where endereco = 'solutti at XXXXXXXXX'\G
*************************** 1. row ***************************
????????????? endereco: solutti at XXXXXXXXXXXXXX
????????????? password:
{SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
???????????????? quota: 51200
Em 12/02/2019 14:05, Robert Moskowitz via dovecot
escreveu:> I have trying to find how to set the dovecot-sql.conf for using
> SHA256/512.? I am going to start clean with the stronger format, not
> migrate from the old MD5.? It seems all I need is:
> driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix
> user=postfix password=$Postfix_Database_Password default_pass_scheme =
> SHAxxx-CRYPT # following should all be on one line. password_query =
> SELECT username as user, password, concat('/home/vmail/', maildir)
as
> userdb_home, concat('maildir:/home/vmail/', maildir) as
userdb_mail,
> 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username =
'%u'
> AND active = '1' # following should all be on one line user_query =
> SELECT concat('/home/vmail/', maildir) as home,
> concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS
> gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM
> mailbox WHERE username = '%u' AND active = '1'
> where xxx is either 256 or 512. All the rest I have been finding in my
> searches concern converting the format and are not needed for a clean
> start?
>
> thanks
>
>
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, N?O mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
> On 12 February 2019 at 19:24 Leonardo Rodrigues via dovecot <dovecot at dovecot.org> wrote: > > > > ??? Here i have SSHA256 working with: > > default_pass_scheme = PLAIN > > ??? and my database scheme just received the hashed password prefixed > by the SSHA indicator, just like: > > mysql> select * from emails where endereco = 'solutti at XXXXXXXXX'\G > *************************** 1. row *************************** > ????????????? endereco: solutti at XXXXXXXXXXXXXX > ????????????? password: > {SSHA256.HEX}d90bac4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > ???????????????? quota: 51200 > > > > > Em 12/02/2019 14:05, Robert Moskowitz via dovecot escreveu: > > I have trying to find how to set the dovecot-sql.conf for using > > SHA256/512.? I am going to start clean with the stronger format, not > > migrate from the old MD5.? It seems all I need is: > > driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix > > user=postfix password=$Postfix_Database_Password default_pass_scheme = > > SHAxxx-CRYPT # following should all be on one line. password_query = > > SELECT username as user, password, concat('/home/vmail/', maildir) as > > userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, > > 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' > > AND active = '1' # following should all be on one line user_query = > > SELECT concat('/home/vmail/', maildir) as home, > > concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS > > gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM > > mailbox WHERE username = '%u' AND active = '1' > > where xxx is either 256 or 512. All the rest I have been finding in my > > searches concern converting the format and are not needed for a clean > > start? > > > > thanks > > > > > > > -- > > > Atenciosamente / Sincerily, > Leonardo Rodrigues > Solutti Tecnologia > http://www.solutti.com.br > > Minha armadilha de SPAM, N?O mandem email > gertrudes at solutti.com.br > My SPAMTRAP, do not email it > > >You can use {CRYPT} prefix in the password field, this will cover both SHA256 and SHA512, unless you want to be explicit about which one it is. The .HEX thing is not usually needed. Aki
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:> I have trying to find how to set the dovecot-sql.conf for using > SHA256/512.? I am going to start clean with the stronger format, not > migrate from the old MD5.? It seems all I need is:you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Gru? Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512.? I am going to start clean with the stronger format, not >> migrate from the old MD5.? It seems all I need is: > you maybe would like to have a look to the hashing algo ARGON2I which is > currently recommended for new developments and deployments.Recommended by whom? Can you provide a link? And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt
On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:> I have trying to find how to set the dovecot-sql.conf for using > SHA256/512.? I am going to start clean with the stronger format, not > migrate from the old MD5.? It seems all I need is: > [...] default_pass_scheme = SHAxxx-CRYPT [...]How do your users change their password ? Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php) $config['password_algorithm']??????? = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query']??????????? = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1"; I left other fields alone. Yassine. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/29255297/attachment.html>
On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:> On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512.? I am going to start clean with the stronger format, not >> migrate from the old MD5.? It seems all I need is: >> [...] default_pass_scheme = SHAxxx-CRYPT [...] > > How do your users change their password ? >Many never do!? Those that do, use the Roundcube plugin, or ask me to change their password via the Postfixadmin manager.? Sigh.> Here's how I configured my roundcube's password plugin to keep things > together ($roundcubefolder/plugins/password/config.php) > > $config['password_algorithm']??????? = 'dovecot'; > $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; > $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; > $config['password_query']??????????? = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1"; > > I left other fields alone. > > Yassine. >Thanks much better info than I was seeing in my googling.? Except I would not use %p: // The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address) %D seems to be what I want... And in mysql, I believe the table is mailbox. $rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u"; I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/c60d6701/attachment.html>