John Peacock wrote: > There is an interesting hack in Dovecot that I was thinking of copying > for Qpsmtpd: a pasword scheme definition that includes the local (to > the server) encryption used. For example, {CRYPT}password would mean > that the plaintext password passed in (while TLS was in force) would be > crypt()'d and then compared with what is in the user database (ex.), see > > http://wiki.dovecot.org/Authentication > > for details. > > This allows the plaintext password to be passed from the client inside a > TLS wrapper, and yet be encrypted on disk at all times. This is far > more secure than any of the challenge methods, which require storing the > plaintext password on the server...
Yes - I use Dovecot SASL on a couple of systems with back-end password databases that contain encrypted password hashes created using dovecotpw. I use Postfix -> Dovecot SASL -> Password-file on a mail relay host for example. In its simplest form the password file looks something like: james:{HMAC-MD5}6c431bcaeab7basdfgq4534tdfbvsdfgdaa2ba23357c7 But from memory you can also specify additional fields to be retrieved. It's a good idea for a potential feature - though you do need to also distribute some way for people to securely hash their passwords. Regards James Turnbull -- James Turnbull <[EMAIL PROTECTED]> --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/1590594444/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
signature.asc
Description: OpenPGP digital signature