On 11.01.2017 09:45, Michael A. Peters wrote: > Howdy - > > For most of my dovecot servers, they are small and I just use unix > accounts. > > However I am going to be running a new server for more general users, > webmail (probably roundcube but I'm hacking roundcube quite a bit, > enough that I'm calling it squarepeg instead so users familiar with > roundcube will know it is quite different) and it will use MariaDB for > account management. > > I already have it working, following the instructions at > https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql-on-centos-5/ > - those instructions also work in CentOS 7 with the latest Dovecot - > but there is something that really bothers me. > > It makes no provision for salting the password before the crypt function. > > What I would like to do is when creating a new account, use > /dev/urandom to generate a random salt for the account that is stuck > in the database along with the account and used when validating the > password. > > That way in the event of a SQL injection attack that dumps the > database - yes it is still bad, but 20 accounts that have the same > password will have radically different hashes and thus won't be a clue > that they are the same, the blackhat that gets the database dump would > have to generate a rainbow table for each unique salt. > > I've looked at at least a dozen different Dovecot / MariaDB howto > guides and none of the ones I have looked at supported any kind of > individual salting of the user passwords. > > Can someone point me to a guide that does? > > I don't mind keeping the salt in the database, I just want to be able > to have a different salt for each account. > > Thank you
Hi! Try using doveadm pw -S SSHA256 for generating the password. The salt is included in the password hash. Aki
