Re: Using SHA256/512 for SQL based password
On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:
On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
I have trying to find how to set the dovecot-sql.conf for using
SHA256/512. I am going to start clean with the stronger format, not
migrate from the old MD5. It seems all I need is:
[...] default_pass_scheme = SHAxxx-CRYPT [...]
How do your users change their password ?
Many never do! Those that do, use the Roundcube plugin, or ask me to
change their password via the Postfixadmin manager. Sigh.
Here's how I configured my roundcube's password plugin to keep things
together ($roundcubefolder/plugins/password/config.php)
$config['password_algorithm'] = 'dovecot';
$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
$config['password_query'] = "UPDATE mail.users SET password=%P WHERE
email=%u LIMIT 1";
I left other fields alone.
Yassine.
Thanks much better info than I was seeing in my googling. Except I
would not use %p:
// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as
follows:
// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if
available
// otherwise DES.
// %D is replaced with the dovecotpw-crypted version of the new password
// %o is replaced with the password before the change
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)
%D seems to be what I want...
And in mysql, I believe the table is mailbox.
$rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified =
NOW() WHERE username = %u";
I got from:
https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/
thanks!
Re: Using SHA256/512 for SQL based password
On 2/20/19 9:06 AM, @lbutlr via dovecot wrote: On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot wrote: libsodium does not help with CentOS7 and Dovecot 2.3: This is what your HTML message looks like here: <https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%2007.04.05.png?dl= Thunderbird 60.4 on Fedora 28
Re: Using SHA256/512 for SQL based password
On 2/20/19 8:38 AM, Aki Tuomi wrote:
On 20 February 2019 15:10 Robert Moskowitz via dovecot
wrote:
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot <
dovecot@dovecot.org> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>
wrote:
Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
< dovecot@dovecot.org > a écrit :
ARGON2 support is added in dovecot v2.3. It also needs to be enabled
when compiling dovecot, so varying from packagers it might or not be
available. The CRYPT ones are available if crypt(3) supports them. In
dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret
Fatal: Unknown scheme: ARGON2-CRYPT
# doveadm pw -s ARGON2 -p secret
Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and
maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm
pw -l )
With dovecot from the dovecot.org < http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
---
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.
libsodium does not help with CentOS7 and Dovecot 2.3:
Installing : libsodium-1.0.17-1.el7.armv7hl 1/1
Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1
Installed:
libsodium.armv7hl 0:1.0.17-1.el7
Complete!
[root@klovia ~]# doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
[root@klovia ~]# doveadm pw -l
MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR
CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4
PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT
SHA512-CRYPT
Previously installed argon2:
grep -n argon /var/log/yum.log*
/var/log/yum.log:128:Feb 13 09:01:01 Installed:
libargon2-20161029-2.el7.armv7hl
/var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
Hi!
Just installing libsodium is not enough. It's not compiled into dovecot centos7
packages because the libsodium in centos7 (not epel) is not recent enough.
It was worth the try
Re: Using SHA256/512 for SQL based password
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
On 17 February 2019 at 10:38 Odhiambo Washington via dovecot <
dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot <
dovecot@dovecot.org <mailto:dovecot@dovecot.org>>
wrote:
Jean-Daniel Dupas via dovecot wrote:
>
>
>> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
>> < dovecot@dovecot.org <mailto:dovecot@dovecot.org> dovecot@dovecot.org <mailto:dovecot@dovecot.org>>> a écrit :
>>
>>
>>
>>> ARGON2 support is added in dovecot v2.3. It also needs to be
enabled
>>> when compiling dovecot, so varying from packagers it might or
not be
>>> available. The CRYPT ones are available if crypt(3) supports
them. In
>>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
>>
>> CentOS7 is on dovecot 2.2.36:
>>
>> # doveadm pw -s ARGON2-CRYPT -p secret
>> Fatal: Unknown scheme: ARGON2-CRYPT
>> # doveadm pw -s ARGON2 -p secret
>> Fatal: Unknown scheme: ARGON2
>>
>> I tend to stay with the distro's rpms and not take on building and
>> maintaining myself.
>
And for the record, the hash names are ARGON2I and ARGON2ID (see
doveadm
pw -l )
With dovecot from the dovecot.org < http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
Also from dovecot.org < http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
Marc
It works for me over here:
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
I'll check next week if and why argon is missing from ce packages.
---
Aki Tuomi
Marc,
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot,
due to libsodium.
libsodium does not help with CentOS7 and Dovecot 2.3:
Installing :
libsodium-1.0.17-1.el7.armv7hl 1/1
Verifying :
libsodium-1.0.17-1.el7.armv7hl 1/1
Installed:
libsodium.armv7hl 0:1.0.17-1.el7
Complete!
[root@klovia ~]# doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
[root@klovia ~]# doveadm pw -l
MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
SHA256-CRYPT SHA512-CRYPT
Previously installed argon2:
grep -n argon /var/log/yum.log*
/var/log/yum.log:128:Feb 13 09:01:01 Installed:
libargon2-20161029-2.el7.armv7hl
/var/log/yum.log:129:Feb 13 09:01:01 Installed:
argon2-20161029-2.el7.armv7hl
Re: Quota count and clone questions
I figured out that I can't just drop maintaining quota2 if I want
postfixadmin to report the quota status.
I also figured out a way to run a test on my config guesses. I will try
to fit it in today, or tomorrow. But any advise to the questions below
are welcomed!
On 2/13/19 8:53 PM, Robert Moskowitz via dovecot wrote:
all this almost reads like I can drop maintaining the quota2 table?
From https://wiki.dovecot.org/Quota/Count
mailbox_list_index = yes
# Avoid spending excessive time waiting for the quota calculation to
finish when
# mails' vsizes aren't already cached. If this many mails are opened,
finish the
# quota calculation on background in indexer-worker process. Mail
deliveries will
# be assumed to succeed, and explicit quota lookups will return
internal error.
mail_vsize_bg_after_count = 100
seems to belong in 10-mail.conf. That is where those var are shown.
But:
plugin {
# 10MB quota limit
quota = count:User quota
quota_rule = *:storage=10M
# This is required - it uses "virtual sizes" rather than "physical
sizes" for quota counting:
quota_vsizes = yes
}
I am having problems with. Right now for quota I have:
plugin {
quota = dict:user::proxy::sqlquota
trash = /etc/dovecot/dovecot-trash.conf.ext
}
How do I reconcile these two?
Then for clone: https://wiki.dovecot.org/Plugins/QuotaClone
how does:
mail_plugins = $mail_plugins quota quota_clone
plugin {
quota_clone_dict = redis:host=127.0.0.1:port=6379
}
get replaced with something for mysql?
dovecot-sql.conf.ext:
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=$Postfix_Database_Password
default_pass_scheme = $cryptsha-CRYPT
# following should all be on one line.
password_query = SELECT username as user, password,
concat('/home/vmail/', maildir) as userdb_home,
concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as
userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND
active = '1'
# following should all be on one line
user_query = SELECT concat('/home/vmail/', maildir) as home,
concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS
gid, CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM
mailbox WHERE username = '%u' AND active = '1'
and
dovecot-dict-sql.conf.ext:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=$Postfix_Database_Password
map {
pattern = priv/quota/storage
table = quota2
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota2
username_field = username
value_field = messages
}
thanks
Quota count and clone questions
all this almost reads like I can drop maintaining the quota2 table?
From https://wiki.dovecot.org/Quota/Count
mailbox_list_index = yes
# Avoid spending excessive time waiting for the quota calculation to
finish when
# mails' vsizes aren't already cached. If this many mails are opened,
finish the
# quota calculation on background in indexer-worker process. Mail
deliveries will
# be assumed to succeed, and explicit quota lookups will return internal
error.
mail_vsize_bg_after_count = 100
seems to belong in 10-mail.conf. That is where those var are shown.
But:
plugin {
# 10MB quota limit
quota = count:User quota
quota_rule = *:storage=10M
# This is required - it uses "virtual sizes" rather than "physical
sizes" for quota counting:
quota_vsizes = yes
}
I am having problems with. Right now for quota I have:
plugin {
quota = dict:user::proxy::sqlquota
trash = /etc/dovecot/dovecot-trash.conf.ext
}
How do I reconcile these two?
Then for clone: https://wiki.dovecot.org/Plugins/QuotaClone
how does:
mail_plugins = $mail_plugins quota quota_clone
plugin {
quota_clone_dict = redis:host=127.0.0.1:port=6379
}
get replaced with something for mysql?
dovecot-sql.conf.ext:
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=$Postfix_Database_Password
default_pass_scheme = $cryptsha-CRYPT
# following should all be on one line.
password_query = SELECT username as user, password,
concat('/home/vmail/', maildir) as userdb_home,
concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as
userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND
active = '1'
# following should all be on one line
user_query = SELECT concat('/home/vmail/', maildir) as home,
concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid,
CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM mailbox
WHERE username = '%u' AND active = '1'
and
dovecot-dict-sql.conf.ext:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=$Postfix_Database_Password
map {
pattern = priv/quota/storage
table = quota2
username_field = username
value_field = bytes
}
map {
pattern = priv/quota/messages
table = quota2
username_field = username
value_field = messages
}
thanks
Re: Maintaining table quota2
On 2/13/19 6:51 PM, Benny Pedersen via dovecot wrote: Robert Moskowitz via dovecot skrev den 2019-02-14 00:22: Am I 'getting it'? 15- is loaded before 20- check dovecot -n always gives wanted results Yes, that I see. But local.conf is loaded after 15- and 20-. If any of these have a mail-plugins line (All such lines are commented out in the default conf.d directory, though), would any 'global' setting of mail_plugins in local.conf be applied? I am guessing not, as it would come too late in the conf processing. Of course CURRENTLY, all mail_plugins lines in the conf.d directory ARE just comments.
Re: Maintaining table quota2
More on 'global' local section:
If there was
!include_try global_local.conf
before the
!include_try local.conf
It would have things like:
# dovecot.conf
protocols = imap pop3 lmtp sieve
dict {
sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
On 2/13/19 1:51 AM, Aki Tuomi wrote:
On 13.2.2019 2.02, Robert Moskowitz via dovecot wrote:
On 2/12/19 1:57 PM, Aki Tuomi wrote:
On 12 February 2019 at 20:52 Robert Moskowitz via dovecot <
dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote:
Dovecot keeps the quota current, although dict quota has been known
to be bit bad at this.
We nowadays recommend using count quota instead and use
quota_clone to copy the quota state to database. It is more accurate.
And how is this recommendation implemented?
All I have are my old notes and what google is finding for me...
Please give me some pointers.
thanks
https://wiki.dovecot.org/Quota/Count
https://wiki.dovecot.org/Plugins/QuotaClone
and the recommendation is under
https://wiki.dovecot.org/Quota
I have been spending effort today reading up on this and searching on
a couple questions.
For my additions to 20-imap.conf I have:
imap_client_workarounds = delay-newmail
protocol imap {
mail_plugins = quota imap_quota trash
}
I see that the mail_plugin quota is moved to 10-mail.conf. No biggie
there. But what about trash?
And I tried to find documentation on imap_client_workarounds and all
I have found is in:
https://wiki.dovecot.org/QuickConfiguration#Client_Workarounds
"Check imap_client_workarounds and pop3_client_workarounds and see if
you want to enable more of them than the defaults. ?
With no link about where to learn more.
Where does quota count go? Just dovecot.conf or one of the numbered
conf addtions?
https://wiki.dovecot.org/Quota/Count
Also is there a way to compute the count for all users? I am
migrating the maildir and rebuilding the sql database. I see:
doveadm mailbox status -u user@domain vsize '*'
But do I do that for each user in each domain or is that '*' there to
run it on all users?
I think this will get me started.
You probably should configure quota plugin globally, if you want
LMTP/LDA deliveries to update quota.
The quota count can be recalculated with doveadm quota recalc
Aki
Re: Using SHA256/512 for SQL based password
On 2/13/19 10:53 AM, Jean-Daniel Dupas via dovecot wrote:
Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
mailto:dovecot@dovecot.org>> a écrit :
On 2/13/19 8:30 AM, Aki Tuomi wrote:
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
mailto:r...@htt-consult.com>>:
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
I have trying to find how to set the dovecot-sql.conf for using
SHA256/512. I am going to start clean with the stronger
format, not
migrate from the old MD5. It seems all I need is:
you maybe would like to have a look to the hashing algo ARGON2I
which is
currently recommended for new developments and deployments.
Recommended by whom?
Can you provide a link?
Sure, please see here:
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
And if I was adventurous about hashes, I would be looking more at
Keccak.
Check out my Internet Draft:
draft-moskowitz-small-crypto-00.txt
Thanks for the tip, will have a look for into it.
Keccak is a general hashing function. It was the first? of the
hashing 'sponge' functions, that many have followed. It is the basis
of SHA3 (at Keccak's greatest strength).
Argon2 seems to be special-built for password hashing. Thing is it is
not supported on my CentOS7 system:
# doveadm pw -l
MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
SHA256-CRYPT SHA512-CRYPT
Of course SHA3 is not listed either...
ARGON2 support is added in dovecot v2.3. It also needs to be enabled
when compiling dovecot, so varying from packagers it might or not be
available. The CRYPT ones are available if crypt(3) supports them. In
dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
CentOS7 is on dovecot 2.2.36:
# doveadm pw -s ARGON2-CRYPT -p secret
Fatal: Unknown scheme: ARGON2-CRYPT
# doveadm pw -s ARGON2 -p secret
Fatal: Unknown scheme: ARGON2
I tend to stay with the distro's rpms and not take on building and
maintaining myself.
And for the record, the hash names are ARGON2I and ARGON2ID (see
doveadm pw -l )
With dovecot from the dovecot.org <http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
For those with dovecot v 2.3
I will note this for the future.
Re: Using SHA256/512 for SQL based password
On 2/13/19 8:30 AM, Aki Tuomi wrote: On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either... ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. I just found an Argon2 binary for CentOS7: Installing: argon2 armv7hl 20161029-2.el7 epel 22 k Installing for dependencies: libargon2 armv7hl 20161029-2.el7 epel 26 k How do I get Dovecot 2.2 to use it?
Re: Using SHA256/512 for SQL based password
On 2/13/19 8:30 AM, Aki Tuomi wrote: On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either... ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself.
Re: Using SHA256/512 for SQL based password
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either...
Re: Using SHA256/512 for SQL based password
On 2/12/19 7:16 PM, Michael Slusarz via dovecot wrote: On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot wrote: On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? https://password-hashing.net/ Thank you very interesting. I will read draft-irtf-cfrg-argon2-04.txt And see the comments on the cfrg list. Russ Housley had concerns about the 03 draft; I will have to see if they are addressed in the 04 draft. I really don't like SHA512, a bit of a hack that was rushed out before SHA3.
Re: Maintaining table quota2
On 2/12/19 1:57 PM, Aki Tuomi wrote:
On 12 February 2019 at 20:52 Robert Moskowitz via dovecot <
dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote:
Dovecot keeps the quota current, although dict quota has been known
to be bit bad at this.
We nowadays recommend using count quota instead and use quota_clone
to copy the quota state to database. It is more accurate.
And how is this recommendation implemented?
All I have are my old notes and what google is finding for me...
Please give me some pointers.
thanks
https://wiki.dovecot.org/Quota/Count
https://wiki.dovecot.org/Plugins/QuotaClone
and the recommendation is under
https://wiki.dovecot.org/Quota
I have been spending effort today reading up on this and searching on a
couple questions.
For my additions to 20-imap.conf I have:
imap_client_workarounds = delay-newmail
protocol imap {
mail_plugins = quota imap_quota trash
}
I see that the mail_plugin quota is moved to 10-mail.conf. No biggie
there. But what about trash?
And I tried to find documentation on imap_client_workarounds and all I
have found is in:
https://wiki.dovecot.org/QuickConfiguration#Client_Workarounds
"Check imap_client_workarounds and pop3_client_workarounds and see if
you want to enable more of them than the defaults. ?
With no link about where to learn more.
Where does quota count go? Just dovecot.conf or one of the numbered
conf addtions?
https://wiki.dovecot.org/Quota/Count
Also is there a way to compute the count for all users? I am migrating
the maildir and rebuilding the sql database. I see:
doveadm mailbox status -u user@domain vsize '*'
But do I do that for each user in each domain or is that '*' there to
run it on all users?
I think this will get me started.
Re: Using SHA256/512 for SQL based password
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt
Re: Maintaining table quota2
On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote:
On 12 February 2019 at 19:55 Robert Moskowitz via dovecot
wrote:
On 2/12/19 12:38 PM, Aki Tuomi via dovecot wrote:
On 12 February 2019 at 18:23 Robert Moskowitz via dovecot
wrote:
Does dovecot compute that values for quota2 with each email it updates
for the user? Or only an incremental change?
I ask because I am looking at migrating all the user mail from the old
server to the new and building a new sql database. All I see is:
dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock
dbname=postfix user=postfix password=$Postfix_Database_Password map {
pattern = priv/quota/storage table = quota2 username_field = username
value_field = bytes } map { pattern = priv/quota/messages table = quota2
username_field = username value_field = messages }
what is actually done with this table?
thanks
dict-sql converts the mappings into SQL statements.
But does dovecot check out the current bytes used and # of messages and
resets quota2, or only uses this latest operation (add message, delete
message...) to adjust quota2?
If the later how to reset quota2 to the current reality?
thanks
Dovecot keeps the quota current, although dict quota has been known to be bit
bad at this.
We nowadays recommend using count quota instead and use quota_clone to copy the
quota state to database. It is more accurate.
And how is this recommendation implemented?
All I have are my old notes and what google is finding for me...
Please give me some pointers.
thanks
Re: Maintaining table quota2
On 2/12/19 12:38 PM, Aki Tuomi via dovecot wrote:
On 12 February 2019 at 18:23 Robert Moskowitz via dovecot
wrote:
Does dovecot compute that values for quota2 with each email it updates
for the user? Or only an incremental change?
I ask because I am looking at migrating all the user mail from the old
server to the new and building a new sql database. All I see is:
dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock
dbname=postfix user=postfix password=$Postfix_Database_Password map {
pattern = priv/quota/storage table = quota2 username_field = username
value_field = bytes } map { pattern = priv/quota/messages table = quota2
username_field = username value_field = messages }
what is actually done with this table?
thanks
dict-sql converts the mappings into SQL statements.
But does dovecot check out the current bytes used and # of messages and
resets quota2, or only uses this latest operation (add message, delete
message...) to adjust quota2?
If the later how to reset quota2 to the current reality?
thanks
Maintaining table quota2
Does dovecot compute that values for quota2 with each email it updates
for the user? Or only an incremental change?
I ask because I am looking at migrating all the user mail from the old
server to the new and building a new sql database. All I see is:
dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock
dbname=postfix user=postfix password=$Postfix_Database_Password map {
pattern = priv/quota/storage table = quota2 username_field = username
value_field = bytes } map { pattern = priv/quota/messages table = quota2
username_field = username value_field = messages }
what is actually done with this table?
thanks
Using SHA256/512 for SQL based password
I have trying to find how to set the dovecot-sql.conf for using
SHA256/512. I am going to start clean with the stronger format, not
migrate from the old MD5. It seems all I need is:
driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix
user=postfix password=$Postfix_Database_Password default_pass_scheme =
SHAxxx-CRYPT # following should all be on one line. password_query =
SELECT username as user, password, concat('/home/vmail/', maildir) as
userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101
as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND
active = '1' # following should all be on one line user_query = SELECT
concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/',
maildir) as mail, 101 AS uid, 12 AS gid,
CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM mailbox
WHERE username = '%u' AND active = '1'
where xxx is either 256 or 512. All the rest I have been finding in my
searches concern converting the format and are not needed for a clean start?
thanks
Re: How to backup maildir
On 2/10/19 8:21 AM, Christoph Haas wrote: Hello Robert, [... snip ...] of course I'm totally with you: asking other people for help, is often a good - if even not the only way to getting things done. It was not my intention to insult you! I hope this did not come in to your mind ... You did not insult me at all. I have taken stronger barbs over the years! Personally I would have a look at the mentioned Dovecot-backup-script as a start. It does really a very good job! Cudos to Klaus Tachtler! That is on top of my list. Thanks for the pointer. Another option could be, to sync your mail via mbsync/isync or offlineimap to your Notebook ... but as an alternative backup, it depends on how many users are on your Dovecot-server. I have 4 domains., 20+ users. Small stuff. I suspect that would only work for me, and I have my processes in place. In a second cycle, you can then extend or modify this script - as I have been doing. But you should bear in mind, that you should have at least 2-3 replicas of your data on different storage, for having a good backup. The local image is for 'fast' backup. This will then be rsynced to a server in my neighbor's house (we have ethernet between us. He lunches off my ISP connection, he hosts my 'offsite' backups). Cheers Christoph.
Re: How to backup maildir
On 2/10/19 2:24 AM, Christoph Haas via dovecot wrote: Hello Robert, - Nachricht von Robert Moskowitz via dovecot - Datum: Sat, 9 Feb 2019 22:50:24 -0500 Von: Robert Moskowitz via dovecot Antwort an: Robert Moskowitz , Dovecot Mailing List Betreff: How to backup maildir An: Dovecot Mailing List I have been thinking, and reading, on how to back up my mailserver. I have not found any approach that seems ready to use. I have run years without any backup, but would really like to have something in place. you're a really lucky guy! - I've been struck in the past for such carelessness on the one or other machine with dataloss ;-) Absolute laziness. No real excuse. Also all users were POPing until 2 years ago. Finally got everyone on IMAP just in the last year. So a server loss would have been an inconvenience. For myself, almost nothing in the IMAP store, everything in local folders that I have a separate backup procedure. I figure I can attach a USB drive and backup to that, then from there rsync to something elsewhere. Further if that USB drive is a full mailserver image, I actually have a 'hot backup' where I only have to put the backup drive into a system and boot up at the last backup. But this means properly copying all of /home/vmail and probably /home/sieve plus the /var/lib/mysql Are you aware of the dovecot command "dsync"? (man dsync or https://wiki.dovecot.org/Tools/Doveadm/Sync) This could be an approach of using dsync: dsync backup -o plugin/quota= -f -u $user backup maildir:/mnt/USB/dovecot-backup/Maildir/$user/mail My search foo is weak. This is a long documented fact. I did spend a number of hours searching and reading before opening my mouth here, fully expecting to put more than my toes in. I will read up on dsync. Are there good tools that nicely does this? Or do I choose a time late at night (only I am sometimes in non-US timezones) to shut down all services and just use rsync? And stopping services itself is thought provoking. What if Dovecot, amavis, mysql, or whatelse is in the middle of writing out a mail file what happens to that file and restart. Just scary stuff and, in part, why I have never tackled this in the past. thanks for all feedback - Ende der Nachricht von Robert Moskowitz via dovecot - It really depends on how important your data is to you ... But you should really think about a general backup-strategy! "Mr. Google" can help you to get some ideas how YOUR backup-strategy could look like... Also there is much input for backing up dovecot with it's different mail storage flavours. - But you have to invest some effort on your own, to search, read, evaluate and finally choose what's fitting into YOUR setup! I have been and have been searching. Some hits, but so far nothing was hitting the spot. But, I will blame my dyslexia that my search foo is weak. But as an starting point: I'm using a for _MY setup_ modified and adopted version of Klaus Tachtler's dovecot-backup script: https://github.com/tachtler/dovecot-backup/blob/master/dovecot_backup.sh ... mixed it with Borg Backup: https://www.borgbackup.org/ ... some further encryption, cloud storage and ... and ... and other stuff. I will check both of these. But as above mentioned: YOU have to think about the grade of your paranoia level, how importand the data is to you in case of an data loss, time and money you are willing to invest and build upon this YOUR PERSONAL backup strategy. - Sadly there is no one-size-fits-all! If there was, we would not be here, I suspect. Last famous words: I've looked at your vita and was wondering about your post - you were writing RFCs, but have no clue about backing up your mail-data??? Strange ... MY mail is well backed up. Locally so that I can read on a plane and the like. I have been running one flavor or another of my own mail server since '95. I switched to dovecot 6 years ago. My home file server is backed up 4 ways around. And I have lost file servers and file server drives over the years. Upgrading my file server is the next project. But I write RFCs. I have been using geany for XML for a few years. I 'code' in English. I have not written computer code since probably the late 80s. I never coded in C, but I did use B for a while! These days I can write simple scripts when forced to. :) My 'spare' time these days is working with armv7 boards. I have been using Cubietech since '13, recently got an Odroid HC1 and that is what this server will be. For the most part you will find me on the Centos/Fedora lists and their arm lists. Occasionally I will put on my Kevlar suit and ask something basic on a product list. But as a result of doing this, recently there is a new SElinux policy for permitting Dovecot to access Mysql. It has already been patched into Fedora 28 and up
How to backup maildir
I have been thinking, and reading, on how to back up my mailserver. I have not found any approach that seems ready to use. I have run years without any backup, but would really like to have something in place. I figure I can attach a USB drive and backup to that, then from there rsync to something elsewhere. Further if that USB drive is a full mailserver image, I actually have a 'hot backup' where I only have to put the backup drive into a system and boot up at the last backup. But this means properly copying all of /home/vmail and probably /home/sieve plus the /var/lib/mysql Are there good tools that nicely does this? Or do I choose a time late at night (only I am sometimes in non-US timezones) to shut down all services and just use rsync? And stopping services itself is thought provoking. What if Dovecot, amavis, mysql, or whatelse is in the middle of writing out a mail file what happens to that file and restart. Just scary stuff and, in part, why I have never tackled this in the past. thanks for all feedback
Really solved - Re: Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
This is an old issue, but I am building a new system and hit this problem all over again. This time, I asked for help from the SELinux list, as googling did not find anything new. What resulted was a policy to allow dovecot to connect to mysql.sock: yum install policycoreutils cat > dovecot_mysql.te << \EOF policy_module(dovecot_mysql,1.0.0) gen_require(` type dovecot_t; ') mysql_read_config(dovecot_t) mysql_stream_connect(dovecot_t) EOF make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp semodule -i dovecot_mysql.pp IF you are using a TCP connection over 127.0.0.1, then it is simpler: echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil semodule -i dovecot-mysql.cil sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql allow dovecot_t mysqld_port_t:tcp_socket name_connect; allow dovecot_t postgresql_port_t:tcp_socket name_connect; Enjoy! On 4/7/17 11:12 AM, Robert Moskowitz wrote: I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing. On 04/07/2017 10:43 AM, Robert Moskowitz wrote: As I have noted in previous messages, I been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. It is not a timing issue as I earlier thought. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff. Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks!
