Hallo again,
while reviewing my Postfixadmin configuration, I noticed that I did not use
ssha512 as the password scheme for Dovecot. Instead I used:
[/etc/postfixadmin/config.inc.php]
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
This (SHA512-CRYPT) is the 2nd strongest scheme supported by Dovecot. The
strongest is BLF-CRYPT.
This is not the same scheme ... my fault.
I suppose SOGo 2.1.1.a doesn't support them?
1.) I think I have to choose another password scheme for now. Right?
While the salt in ssha512 is good against rainbow-table based password
attacks,
the -CRYPT variants additionally improve the strength against brute-force and
dictionary attacks by slowing the hashing down.
According to Vidar’s Blog-post about - Implementation of SHA512-crypt vs MD5-
crypt
http://www.vidarholen.net/contents/blog/?p=33
- the -CRYPT variants maybe even need additional parameters for the number of
rounds.
###############################################
Like md5-crypt, it can be divided into three phases. Initialization, loop, and
finalization.
Generate a simple sha512 hash based on the salt and password
Loop 5000 times, calculating a new sha512 hash based on the previous hash
concatenated with alternatingly the hash of the password and the salt.
Additionally, sha512-crypt allows you to specify a custom number of rounds,
from 1000 to 999999999
Use a special base64 encoding on the final hash to create the password
hash string
###############################################
I suggest, that SOGo implements them like Postfixadmin does:
Postfixadmin invokes Dovecots password utility: "/usr/bin/doveadm pw"
and calls the schemes e.g. 'dovecot:SHA512-CRYPT';
[/etc/postfixadmin/config.inc.php]
// If you use the dovecot encryption method: where is the dovecotpw
binary located?
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
2.) Any opinions?
Kind regards
T. B.
--
[email protected]
https://inverse.ca/sogo/lists
