On 30-01-14 17:44, KT Walrus wrote:
> One other point to bolster my argument… I really want to store only
> one password hash per user and be able to have all my software
> authenticate using that single (strong and compute intensive) hash.
> For my site, PHP creates the user accounts and PHP, Dovecot, and
> DBMail all need to be able to authenticate. PHP supports both mhash
> that DBMail uses and (imho better) crypt style salted passwords that
> Dovecot and PHP can use. So, it looks like I’m okay with being able
> to mkpasswords in PHP and store these separate hashes in two places
> (and update them in two places when the user changes their
> password).
>
> From a security point of view, the DBMail db is probably a good place
> to store a single hash that all my apps could authenticate against.
> So, I’m arguing for a single password type that all my apps can
> retrieve from the DBMail db for user authentication.
If you worry about security do *not* allow any apps other than DBMail to
access the dbmail_users table. If you think you must, think again. You
could provide external authentication by using imap or pop3 authentication.
Of course, a single place to store passwords for users makes perfect
sense. But there are best-practice solutions for that. Such as OpenLDAP.
Which DBMail supports just fine.
--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, github, linkedin
* Premium Hosting Services and Web Application Consultancy *
www.nfg.nl/[email protected]/+31.85.877.99.97
________________________________________________________________
_______________________________________________
DBmail mailing list
[email protected]
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
