Dan, Good explanations of how the crypted password contains the hash specification and the salt. Thank you. I looked through the dovecot documentation, and they describe the $1$ through $6$ just as you did. Therefore this seems a generally accepted password storage format.
However, I just searched through all of the vpopmail source code (v5.4.33). There are numerous hits for "md5" but none for "sha1", "sha-1", "sha256", or "sha-256". I visually inspected the header files, and there is a #define for MD5_PASSWORDS but for no other hashes. As best I can tell, it seems that the crypted password is stored using a format which accepts newer hashes, but it seems that vpopmail currently has no ability to use newer hashes. -Andy On 10/3/2018 1:30 PM, Dan McAllister - QMT DNS wrote: > One more item -- I agree that the password hashing algorithm could stand to > be updated -- and there is NOT a backward compatibility issue with updating > our algorithms because the mechanism is CODED to show which algorithm is used > (the $1$ currently there, maybe a $6$ in the future?) > > However, we would need to check with the qmail code, as well as DoveCot, to > determine if they can support/recognize those other algorithms. > > Dan > > -----Original Message----- > From: Eric Broch <ebr...@whitehorsetc.com> > Sent: Wednesday, October 3, 2018 4:34 PM > To: email@example.com > Subject: Re: [qmailtoaster] Passwords after backup/restore > >> The newer DoveCot IMAP server "appears" to be authenticating against >> the cleartext password > It does. I checked the code. > > I've submitted a question to the Dovecot mailing list concerning this, that > is, whether there is a configuration option to authorize against the hash, or > whether there is an option at compile or link time to accomplish the same. > It'd be nice to have a configuration option, IMHO, that way no re-compilation > would be necessary. >
Description: S/MIME Cryptographic Signature