Vpopmail used MD5 by default, and DES the former is disabled.


On 10/3/2018 4:15 PM, Andrew Swartz wrote:
Dan,

Good explanations of how the crypted password contains the hash
specification and the salt.  Thank you.  I looked through the dovecot
documentation, and they describe the $1$ through $6$ just as you did.
Therefore this seems a generally accepted password storage format.

However, I just searched through all of the vpopmail source code
(v5.4.33).  There are numerous hits for "md5" but none for "sha1",
"sha-1", "sha256", or "sha-256".  I visually inspected the header files,
and there is a #define for MD5_PASSWORDS but for no other hashes.

As best I can tell, it seems that the crypted password is stored using a
format which accepts newer hashes, but it seems that vpopmail currently
has no ability to use newer hashes.

-Andy


On 10/3/2018 1:30 PM, Dan McAllister - QMT DNS wrote:
One more item -- I agree that the password hashing algorithm could stand to be 
updated -- and there is NOT a backward compatibility issue with updating our 
algorithms because the mechanism is CODED to show which algorithm is used (the 
$1$ currently there, maybe a $6$ in the future?)

However, we would need to check with the qmail code, as well as DoveCot, to 
determine if they can support/recognize those other algorithms.

Dan

-----Original Message-----
From: Eric Broch <ebr...@whitehorsetc.com>
Sent: Wednesday, October 3, 2018 4:34 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Passwords after backup/restore

The newer DoveCot IMAP server "appears" to be authenticating against
the cleartext password
It does. I checked the code.

I've submitted a question to the Dovecot mailing list concerning this, that is, 
whether there is a configuration option to authorize against the hash, or 
whether there is an option at compile or link time to accomplish the same. It'd 
be nice to have a configuration option, IMHO, that way no re-compilation would 
be necessary.


--
Eric Broch
White Horse Technical Consulting (WHTC)


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to