Re: OpenSMTPD password encryption scheme.
Hey, I struggled with this issue as well on FreeBSD. This worked for me after a lot of tracing. 1. Create your PW hash with doveadm: echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2 This will cut the {BLF-CRYPT}… header created by doveadm. Opensmtpd uses crypt() to figure out the hash type and should role with it. 2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them without the {BLF-CRYPT} header passdb { driver = passwd-file args = scheme=blf-crypt /usr/local/etc/mail/passwd } This way you can use the same passwd table both for opensmtpd and dovecot. HTH Andreas > On 18. Sep 2018, at 09:06, Reio Remma wrote: > > Hello! > > I'm curious as to what determines the password scheme used by OpenSMTPD on a > Linux system (CentOS 7 in my case). When setting up the system I ended up > with using SHA512, because it seems to be what works both in OpenSMTPD and > Dovecot, but would really like to use Blowfish instead. Dovecot seems to work > with it, but is there any way I can make OpenSMTPD also agree with it? > > Thanks, > Reio > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
I'm already using a shared SQL user database between Dovecot and OpenSMTPD, so all is fine in that sense. :) I now actually recall running into the same issue when I was setting the system up - I ended up using smtpctl encrypt to generate the shared passwords. Alas, no way to provide rounds to smtpctl encrypt. :) On 18.09.2018 20:49, Andreas Broecking wrote: Hey, I struggled with this issue as well on FreeBSD. This worked for me after a lot of tracing. 1. Create your PW hash with doveadm: echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2 This will cut the {BLF-CRYPT}… header created by doveadm. Opensmtpd uses crypt() to figure out the hash type and should role with it. 2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them without the {BLF-CRYPT} header passdb { driver = passwd-file args = scheme=blf-crypt /usr/local/etc/mail/passwd } This way you can use the same passwd table both for opensmtpd and dovecot. HTH Andreas On 18. Sep 2018, at 09:06, Reio Remma wrote: Hello! I'm curious as to what determines the password scheme used by OpenSMTPD on a Linux system (CentOS 7 in my case). When setting up the system I ended up with using SHA512, because it seems to be what works both in OpenSMTPD and Dovecot, but would really like to use Blowfish instead. Dovecot seems to work with it, but is there any way I can make OpenSMTPD also agree with it? Thanks, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On 18.09.2018 19:33, Gilles Chehade wrote: that's an easy one: OpenSMTPD uses the crypt() function provided by your system and does not care about the password scheme used as this is a system-specific detail. On modern systems the crypt() function encodes the algorithm, rounds and salt as a prefix to the encrypted password, as shown below: $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m | | || | | ||__ encrypted password | | |__ begining of salt | |__ beginning of rounds |__ beginning of cipher But this encoding is only valid for my operating system, yours will have a different one and the only thing you need to care about is if password was generated using the same crypt() function that will be used validate it. I suggest your read the crypt(3) and passwd(1) man pages of your system. Progress! I got it working with rounds=50. There was one issue initially - Dovecot generates passwords with {SHA512-CRYPT} prepended to the string and OpenSMTPD closes the whole smtpd process when it encounters such a password. Removing the {SHA512-CRYPT} string from the hash helped make it all work. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On 18.09.2018 19:33, Gilles Chehade wrote: On Tue, Sep 18, 2018 at 10:06:49AM +0300, Reio Remma wrote: Hello! I'm curious as to what determines the password scheme used by OpenSMTPD on a Linux system (CentOS 7 in my case). that's an easy one: OpenSMTPD uses the crypt() function provided by your system and does not care about the password scheme used as this is a system-specific detail. On modern systems the crypt() function encodes the algorithm, rounds and salt as a prefix to the encrypted password, as shown below: $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m | | || | | ||__ encrypted password | | |__ begining of salt | |__ beginning of rounds |__ beginning of cipher But this encoding is only valid for my operating system, yours will have a different one and the only thing you need to care about is if password was generated using the same crypt() function that will be used validate it. I suggest your read the crypt(3) and passwd(1) man pages of your system. Thanks for your reply. :) I was just reading up whilst my son was in his football practice and I'm about to see if I can add a few hundred thousand more rounds to the SHA512 that CentOS is using. Thanks, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On Tue, Sep 18, 2018 at 06:33:33PM +0200, Gilles Chehade wrote: > > [...] > > $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m > | | || > | | ||__ encrypted password > | | |__ begining of salt > | |__ beginning of rounds > |__ beginning of cipher > > [...] this only reads ok with a fixed-font MUA ... you get the idea though -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On Tue, Sep 18, 2018 at 10:06:49AM +0300, Reio Remma wrote: > Hello! > > I'm curious as to what determines the password scheme used by OpenSMTPD on a > Linux system (CentOS 7 in my case). When setting up the system I ended up > with using SHA512, because it seems to be what works both in OpenSMTPD and > Dovecot, but would really like to use Blowfish instead. Dovecot seems to > work with it, but is there any way I can make OpenSMTPD also agree with it? > > Thanks, > Reio > that's an easy one: OpenSMTPD uses the crypt() function provided by your system and does not care about the password scheme used as this is a system-specific detail. On modern systems the crypt() function encodes the algorithm, rounds and salt as a prefix to the encrypted password, as shown below: $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m | | || | | ||__ encrypted password | | |__ begining of salt | |__ beginning of rounds |__ beginning of cipher But this encoding is only valid for my operating system, yours will have a different one and the only thing you need to care about is if password was generated using the same crypt() function that will be used validate it. I suggest your read the crypt(3) and passwd(1) man pages of your system. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
OpenSMTPD password encryption scheme.
Hello! I'm curious as to what determines the password scheme used by OpenSMTPD on a Linux system (CentOS 7 in my case). When setting up the system I ended up with using SHA512, because it seems to be what works both in OpenSMTPD and Dovecot, but would really like to use Blowfish instead. Dovecot seems to work with it, but is there any way I can make OpenSMTPD also agree with it? Thanks, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Password encryption
On Sun, 6 Aug 2017 14:32:16 +0200 > The next question would be ...why does it work for other ppl? I use system accounts and some scripts but if you need a database then I can't help. It's not actually that difficult once you work it out to sync system pwd.db files actually and you get the OpenBSD login system too. Not that I have done this but I did used to create small pwd.db files inside web chroots. I've removed the need to now though. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Password encryption
Hi there again, I really dont get it ... the documentation tells me that both tools, smtpctl and doveadm, generate a bcrypt hash that should be usable for both applications to use as auth parameter but reality on my setup is different, I can: - have a clearPassword and I can auth with dovecot but not with openSMTPD - I can have a doveadm pw -s BLF-CRYPT Password and can auth Dovecot but not with OpenSMTPD - I can have a smtpctl encrypt password and can auth with OpenSMTPD but not with Dovecot I have these kind of strings stored in my userPassword attribute in LDAP and I tell dovecot in ldap conf to use default schema blf-crypt. What totally confuses me is the fact when and how dovecot is going to decide to generate a hash for the password that comes in as a cleartext password anyway? Or is the assumtion just wrong that a hash is interchangeable between dovecot and openSMTPD? The next question would be ...why does it work for other ppl? Totally lost here :( Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org