search for: pkcs5

...sh :-) and I get this error: /bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -MT pkcs5.lo -MD -MP -MF .deps/pkcs5.Tpo -c -o pkcs5.lo pkcs5.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -MT pkcs5.lo -MD...

...ror: > > /bin/bash ../../libtool --tag=CC --mode=compile gcc > -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -MT pkcs5.lo -MD > -MP -MF .deps/pkcs5.Tpo -c -o pkcs5.lo pkcs5.c libtool: compile: gcc > -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing...

Is any of the password schemes supported or is there a reason you chose pkcs5? 4. Sep. 2019, 08:45 von aki.tuomi at open-xchange.com: > > It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient. &...

...; I'm using a passwd file for authentication. >> >> I feel uncomfortable saving the private password in plaintext in that file. >> >> Regards >> > > > > > You can try in passdb return > > > userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} > > > Aki > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/0bb9ee11/attachment-0001.html>

??????? Original Message ??????? On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password? SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=...

??????? Original Message ??????? On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this. Hi Aki, Thank you very much for your very fast answer. I will then simply double the percent character as workaround

It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient. To avoid this, you should probably have protocol imap { ??? passdb { ????? driver = static ????? args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} } and initialize the keypair using doveadm and set the password to this value the...

...mabi wrote: > ??????? Original Message ??????? > On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > >> I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. > That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password? > > SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_priv...

Hello there, is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? I'm using a passwd file for authentication. I feel uncomfortable saving the private password in plaintext in that file. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello Community, (sorry to be more busy, hence more running questions in parallel :) ) As mentioned in another post, I am testing mail_crypt plugin. I was wondering how to really secure the process sothat even the admin cannot have any access to the other users mail content. My current config is simple: - using per-folder keys (hence the per-user spaces are preserved) - put the

...map/pop3 proxy: If passdb returns proxy_not_trusted, don't send ID/XCLIENT + Added generic hash modifier for %variables: %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field} Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. Also "pkcs5" is supported using SHA256. For example: %{sha256:user} or %{md5;truncate=32:user}. + Added support for SHA3-256 and SHA3-512 hashes. + config: Support DNS wildcards in local_name, e.g. local_name *.example.com { .. } matches anything.example.com, but not multiple.anything.example.c...

...map/pop3 proxy: If passdb returns proxy_not_trusted, don't send ID/XCLIENT + Added generic hash modifier for %variables: %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field} Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. Also "pkcs5" is supported using SHA256. For example: %{sha256:user} or %{md5;truncate=32:user}. + Added support for SHA3-256 and SHA3-512 hashes. + config: Support DNS wildcards in local_name, e.g. local_name *.example.com { .. } matches anything.example.com, but not multiple.anything.example.c...

...ix.o test_lib-test-json-parser.o test_lib-test-json-tree.o test_lib-test-lib-signals.o test_lib-test-llist.o test_lib-test-log-throttle.o test_lib-test-malloc-overflow.o test_lib-test-memarea.o test_lib-test-mempool.o test_lib-test-mempool-allocfree.o test_lib-test-mempool-alloconly.o test_lib-test-pkcs5.o test_lib-test-net.o test_lib-test-numpack.o test_lib-test-ostream-buffer.o test_lib-test-ostream-failure-at.o test_lib-test-ostream-file.o test_lib-test-ostream-multiplex.o test_lib-test-multiplex.o test_lib-test-path-util.o test_lib-test-primes.o test_lib-test-printf-format-fix.o test_lib-test-p...

...map/pop3 proxy: If passdb returns proxy_not_trusted, don't send ID/XCLIENT + Added generic hash modifier for %variables: %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field} Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. Also "pkcs5" is supported using SHA256. For example: %{sha256:user} or %{md5;truncate=32:user}. + Added support for SHA3-256 and SHA3-512 hashes. + config: Support DNS wildcards in local_name, e.g. local_name *.example.com { .. } matches anything.example.com, but not multiple.anything.example.c...

...cause by default Dovecot limits the auth process's VSZ and exits on any memory allocation failure, the auth process typically dies afterwards and is immediately restarted. This may result in some user authentications getting temporary internal failures. Excessive CPU usage could be done with %{pkcs5;rounds=100000000:user} variable introduced in v2.2.27. Please use this https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch to fix this issue, it should be applicable to older versions too. Please let us know if you need assistance in patching. --- Aki Tuomi Dovec...

...map/pop3 proxy: If passdb returns proxy_not_trusted, don't send ID/XCLIENT + Added generic hash modifier for %variables: %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field} Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. Also "pkcs5" is supported using SHA256. For example: %{sha256:user} or %{md5;truncate=32:user}. + Added support for SHA3-256 and SHA3-512 hashes. + config: Support DNS wildcards in local_name, e.g. local_name *.example.com { .. } matches anything.example.com, but not multiple.anything.example.c...

...crypt/decrypt the keys using the user's password? > > - other? > > > Thank you for you help. (sorry for possible duplicate) You can use userdb attribute mail_crypt_private_password to encrypt the private key. You can use something like userdb_mail_crypt_private_password = %{pkcs5;salt=<random string>%Lu:password} to generate the encryption password on the fly from passdb. Aki Tuomi Dovecot Oy

...uch for your very fast answer. I will then simply double the percent character as workaround for now as you suggest. butterfingers me, sending empty replies.. I don't actually recommend using password *directly* from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. Aki

...ser's password or > at least store it in a hashed value? > > I'm using a passwd file for authentication. > > I feel uncomfortable saving the private password in plaintext in that > file. > > Regards You can try in passdb return userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} Aki -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/8531e689/attachment.html>