??????? Original Message ??????? On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote:> I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that.That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password? SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.
Aki Tuomi
2019-Jul-04 09:18 UTC
Percent character in mail_crypt_private_password not possible
On 2.7.2019 23.27, mabi wrote:> ??????? Original Message ??????? > On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > >> I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. > That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password? > > SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command. >It depends. You can use either one, see https://wiki2.dovecot.org/Variables I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP. Aki
??????? Original Message ??????? On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote:> It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables > > I think the safest option would be setup LDAP so that the private > password would be only readable by self, and have dovecot use bind > authentication. This way you can export it only when you successfully > log in to LDAP.Good point regarding LDAP but right now I am using PostgreSQL as backend for storing my accounts and use the following "password_query" parameter: password_query = SELECT username AS user, password, '%w' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u' So based on the Dovecot Variables wiki documentation you mention I could adapt my "password_query" parameter to the following in order to use a SHA512 hash of the password: password_query = SELECT username AS user, password, '%{sha512:w}' AS userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u' is this correct? I am also not sure about sha512 hash because the Dovecot Variable wiki page does not mention sha512 but only sha256. Is sha512 also available?
Seemingly Similar Threads
- Percent character in mail_crypt_private_password not possible
- Percent character in mail_crypt_private_password not possible
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- Percent character in mail_crypt_private_password not possible