Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐
On Thursday, July 4, 2019 3:10 PM, Aki Tuomi wrote:
> > I am also not sure about sha512 hash because the Dovecot Variable wiki page
> > does not mention sha512 but only sha256. Is sha512 also available?
>
> Yes
Thank you Aki for confirming. I tried it out and it works but I needed to use
"%{sha512:password}" instead of "%{sha512:w}". That's a nice feature of Dovecot!
Now all I still need to do is to change the password of my user's crypto
keypair to the SHA512 hash of their login password and that's it.
Re: Percent character in mail_crypt_private_password not possible
On 4.7.2019 16.05, mabi via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot
> wrote:
>
>> It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
>>
>> I think the safest option would be setup LDAP so that the private
>> password would be only readable by self, and have dovecot use bind
>> authentication. This way you can export it only when you successfully
>> log in to LDAP.
> Good point regarding LDAP but right now I am using PostgreSQL as backend for
> storing my accounts and use the following "password_query" parameter:
>
> password_query = SELECT username AS user, password, '%w' AS
> userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
>
> So based on the Dovecot Variables wiki documentation you mention I could
> adapt my "password_query" parameter to the following in order to use a SHA512
> hash of the password:
>
> password_query = SELECT username AS user, password, '%{sha512:w}' AS
> userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
>
> is this correct?
>
> I am also not sure about sha512 hash because the Dovecot Variable wiki page
> does not mention sha512 but only sha256. Is sha512 also available?
>
>
>
>
>
Yes
Aki
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐
On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot
wrote:
> It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
>
> I think the safest option would be setup LDAP so that the private
> password would be only readable by self, and have dovecot use bind
> authentication. This way you can export it only when you successfully
> log in to LDAP.
Good point regarding LDAP but right now I am using PostgreSQL as backend for
storing my accounts and use the following "password_query" parameter:
password_query = SELECT username AS user, password, '%w' AS
userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
So based on the Dovecot Variables wiki documentation you mention I could adapt
my "password_query" parameter to the following in order to use a SHA512 hash of
the password:
password_query = SELECT username AS user, password, '%{sha512:w}' AS
userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
is this correct?
I am also not sure about sha512 hash because the Dovecot Variable wiki page
does not mention sha512 but only sha256. Is sha512 also available?
Re: Percent character in mail_crypt_private_password not possible
On 2.7.2019 23.27, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot > wrote: > >> I don't actually recommend using password directly from user as password for >> private keys, I recommend running them thru some hash / pkcs5 before that. > That's a great idea and makes things even safer. I don't know much about > PKCS5 but would SHA512 also be safe enough for hashing the password? > > SHA512 would then generate a 128 characters hash which I would then pass to > the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox > cryptokey generate ..." command. > It depends. You can use either one, see https://wiki2.dovecot.org/Variables I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP. Aki
Re: Percent character in mail_crypt_private_password not possible
> > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi > wrote: > > > Hi, you need to escape % with %%. We are aware of a bug affecting when % > > comes in from some field via userdb, and we are looking into how to fix > > this. > > Aki, I was wondering, does this bug also affect the changing of a cryptokey > password using this command: > > $ doveadm mailbox cryptokey password -u em...@domain.tld -n NEW%PASSWORD -o > OLD%PASSWORD > > Do I need here also to double the '%' char in the -n (new password) and -o > (old password) parameters ? Not needed here, no. Aki
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi wrote: > Hi, you need to escape % with %%. We are aware of a bug affecting when % > comes in from some field via userdb, and we are looking into how to fix this. Aki, I was wondering, does this bug also affect the changing of a cryptokey password using this command: $ doveadm mailbox cryptokey password -u em...@domain.tld -n NEW%PASSWORD -o OLD%PASSWORD Do I need here also to double the '%' char in the -n (new password) and -o (old password) parameters ?
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐ On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot wrote: > I don't actually recommend using password directly from user as password for > private keys, I recommend running them thru some hash / pkcs5 before that. That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password? SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.
Re: Percent character in mail_crypt_private_password not possible
> > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi > wrote: > > > Hi, you need to escape % with %%. We are aware of a bug affecting when % > > comes in from some field via userdb, and we are looking into how to fix > > this. > > Hi Aki, > > Thank you very much for your very fast answer. I will then simply double the > percent character as workaround for now as you suggest. butterfingers me, sending empty replies.. I don't actually recommend using password *directly* from user as password for private keys, I recommend running them thru some hash / pkcs5 before that. Aki
Re: Percent character in mail_crypt_private_password not possible
> > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi > wrote: > > > Hi, you need to escape % with %%. We are aware of a bug affecting when % > > comes in from some field via userdb, and we are looking into how to fix > > this. > > Hi Aki, > > Thank you very much for your very fast answer. I will then simply double the > percent character as workaround for now as you suggest.
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐ On Tuesday, July 2, 2019 6:21 PM, Aki Tuomi wrote: > Hi, you need to escape % with %%. We are aware of a bug affecting when % > comes in from some field via userdb, and we are looking into how to fix this. Hi Aki, Thank you very much for your very fast answer. I will then simply double the percent character as workaround for now as you suggest.
Re: Percent character in mail_crypt_private_password not possible
> > > Hello, > > I am using the mail_crypt plugin with Dovecot 2.3 and have issues trying to > use a mail crypt private password which contains a percent "%" character as > you can see below: > > $ doveadm -o plugin/mail_crypt_private_password=SomethingWith\%Percent > mailbox cryptokey generate -u em...@domain.tld -URf > > doveadm(em...@domain.tld): Error: Failed to expand plugin setting > mail_crypt_private_password = 'SomethingWith%Percent': Unknown variable '%P' > > Note here that the percent is escaped with a backslash "\%" in order for the > shell not to process it. > > Regards, > Mabi Hi, you need to escape % with %%. We are aware of a bug affecting when % comes in from some field via userdb, and we are looking into how to fix this. Aki
