My /etc/dovecot/conf.d/auth-passwdfile.conf.ext is configured to use MD5 passdb { ? driver = passwd-file ? args = scheme=MD5 username_format=%n /etc/exim4/domains/%d/passwd } userdb { ? driver = passwd-file ? args = username_format=%n /etc/exim4/domains/%d/passwd } /home/account/conf/mail/domain.com/passwd has a mixture of MD5 & SHA512-CRYPT: scanner:{MD5}$1$M5QuU7QI$AE7Nnorb8KC5KMvyYfVcr0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M Everything is working fine, is this by design? In other words does the {MD5} vs {SHA512-CRYPT} in passwd over-rule auth-passwdfile.conf.ext ? -- John Schmerold Katy Computer Systems, Inc https://katycomputer.com St Louis -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210911/53f0061e/attachment.html>
> does the {MD5} vs {SHA512-CRYPT} in passwd over-rule > auth-passwdfile.conf.ext ?Yes this is by design and is why passwords are prefixed with the type. This allows easy upgrade to stronger encryption in the future without having to throw out all the old passwords at once. It allows users to re-create their password with the newer encryption on the next login. Otherwise how would they ever log to change their password.
On Sat, Sep 11, 2021 at 08:07:31PM -0500, John Schmerold wrote:> My /etc/dovecot/conf.d/auth-passwdfile.conf.ext is configured to use MD5 > > passdb { > ? driver = passwd-file > ? args = scheme=MD5 username_format=%n /etc/exim4/domains/%d/passwd > } > > userdb { > ? driver = passwd-file > ? args = username_format=%n /etc/exim4/domains/%d/passwd > } > > /home/account/conf/mail/domain.com/passwd has a mixture of MD5 & > SHA512-CRYPT: > > scanner:{MD5}$1$M5QuU7QI$AE7Nnorb8KC5KMvyYfVcr0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M > test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:account:mail::/home/account:0:userdb_quota_rule=*:storage=0M > > Everything is working fine, is this by design? In other words does the {MD5} > vs {SHA512-CRYPT} in passwd over-rule auth-passwdfile.conf.ext ? >If you can, I would get rid of MD5. It's no longer secure. Sending out mountains of spam if a password gets cracked, could be problematic. :-{ I'm getting ready to drop using MD5 on secure cookies for that very reason. Website software, not dovecot. Hopefully that's helpful. I dropped one of my bare metal servers because the company couldn't keep other spammers off of the IP block I was in. They refused to do anything to clean up their blacklist, which included me unfortunately. Chris Bennett