Good explanations of how the crypted password contains the hash
specification and the salt.  Thank you.  I looked through the dovecot
documentation, and they describe the $1$ through $6$ just as you did.
Therefore this seems a generally accepted password storage format.

However, I just searched through all of the vpopmail source code
(v5.4.33).  There are numerous hits for "md5" but none for "sha1",
"sha-1", "sha256", or "sha-256".  I visually inspected the header files,
and there is a #define for MD5_PASSWORDS but for no other hashes.

As best I can tell, it seems that the crypted password is stored using a
format which accepts newer hashes, but it seems that vpopmail currently
has no ability to use newer hashes.


On 10/3/2018 1:30 PM, Dan McAllister - QMT DNS wrote:
> One more item -- I agree that the password hashing algorithm could stand to 
> be updated -- and there is NOT a backward compatibility issue with updating 
> our algorithms because the mechanism is CODED to show which algorithm is used 
> (the $1$ currently there, maybe a $6$ in the future?)
> However, we would need to check with the qmail code, as well as DoveCot, to 
> determine if they can support/recognize those other algorithms.
> Dan
> -----Original Message-----
> From: Eric Broch <ebr...@whitehorsetc.com> 
> Sent: Wednesday, October 3, 2018 4:34 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Passwords after backup/restore
>> The newer DoveCot IMAP server "appears" to be authenticating against 
>> the cleartext password
> It does. I checked the code.
> I've submitted a question to the Dovecot mailing list concerning this, that 
> is, whether there is a configuration option to authorize against the hash, or 
> whether there is an option at compile or link time to accomplish the same. 
> It'd be nice to have a configuration option, IMHO, that way no re-compilation 
> would be necessary.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to