Re: OpenSMTPD password encryption scheme.
Hey,
I struggled with this issue as well on FreeBSD.
This worked for me after a lot of tracing.
1. Create your PW hash with doveadm:
echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2
This will cut the {BLF-CRYPT}… header created by doveadm.
Opensmtpd uses crypt() to figure out the hash type and should role with it.
2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them
without the {BLF-CRYPT} header
passdb {
driver = passwd-file
args = scheme=blf-crypt /usr/local/etc/mail/passwd
}
This way you can use the same passwd table both for opensmtpd and dovecot.
HTH
Andreas
> On 18. Sep 2018, at 09:06, Reio Remma wrote:
>
> Hello!
>
> I'm curious as to what determines the password scheme used by OpenSMTPD on a
> Linux system (CentOS 7 in my case). When setting up the system I ended up
> with using SHA512, because it seems to be what works both in OpenSMTPD and
> Dovecot, but would really like to use Blowfish instead. Dovecot seems to work
> with it, but is there any way I can make OpenSMTPD also agree with it?
>
> Thanks,
> Reio
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
I'm already using a shared SQL user database between Dovecot and
OpenSMTPD, so all is fine in that sense. :)
I now actually recall running into the same issue when I was setting the
system up - I ended up using smtpctl encrypt to generate the shared
passwords. Alas, no way to provide rounds to smtpctl encrypt. :)
On 18.09.2018 20:49, Andreas Broecking wrote:
Hey,
I struggled with this issue as well on FreeBSD.
This worked for me after a lot of tracing.
1. Create your PW hash with doveadm:
echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2
This will cut the {BLF-CRYPT}… header created by doveadm.
Opensmtpd uses crypt() to figure out the hash type and should role with it.
2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them
without the {BLF-CRYPT} header
passdb {
driver = passwd-file
args = scheme=blf-crypt /usr/local/etc/mail/passwd
}
This way you can use the same passwd table both for opensmtpd and dovecot.
HTH
Andreas
On 18. Sep 2018, at 09:06, Reio Remma wrote:
Hello!
I'm curious as to what determines the password scheme used by OpenSMTPD on a
Linux system (CentOS 7 in my case). When setting up the system I ended up with
using SHA512, because it seems to be what works both in OpenSMTPD and Dovecot,
but would really like to use Blowfish instead. Dovecot seems to work with it,
but is there any way I can make OpenSMTPD also agree with it?
Thanks,
Reio
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On 18.09.2018 19:33, Gilles Chehade wrote:
that's an easy one:
OpenSMTPD uses the crypt() function provided by your system and does not
care about the password scheme used as this is a system-specific detail.
On modern systems the crypt() function encodes the algorithm, rounds and
salt as a prefix to the encrypted password, as shown below:
$2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m
| | ||
| | ||__ encrypted password
| | |__ begining of salt
| |__ beginning of rounds
|__ beginning of cipher
But this encoding is only valid for my operating system, yours will have
a different one and the only thing you need to care about is if password
was generated using the same crypt() function that will be used validate
it.
I suggest your read the crypt(3) and passwd(1) man pages of your system.
Progress! I got it working with rounds=50.
There was one issue initially - Dovecot generates passwords with
{SHA512-CRYPT} prepended to the string and OpenSMTPD closes the whole
smtpd process when it encounters such a password. Removing the
{SHA512-CRYPT} string from the hash helped make it all work.
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On 18.09.2018 19:33, Gilles Chehade wrote: On Tue, Sep 18, 2018 at 10:06:49AM +0300, Reio Remma wrote: Hello! I'm curious as to what determines the password scheme used by OpenSMTPD on a Linux system (CentOS 7 in my case). that's an easy one: OpenSMTPD uses the crypt() function provided by your system and does not care about the password scheme used as this is a system-specific detail. On modern systems the crypt() function encodes the algorithm, rounds and salt as a prefix to the encrypted password, as shown below: $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m | | || | | ||__ encrypted password | | |__ begining of salt | |__ beginning of rounds |__ beginning of cipher But this encoding is only valid for my operating system, yours will have a different one and the only thing you need to care about is if password was generated using the same crypt() function that will be used validate it. I suggest your read the crypt(3) and passwd(1) man pages of your system. Thanks for your reply. :) I was just reading up whilst my son was in his football practice and I'm about to see if I can add a few hundred thousand more rounds to the SHA512 that CentOS is using. Thanks, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On Tue, Sep 18, 2018 at 06:33:33PM +0200, Gilles Chehade wrote: > > [...] > > $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m > | | || > | | ||__ encrypted password > | | |__ begining of salt > | |__ beginning of rounds > |__ beginning of cipher > > [...] this only reads ok with a fixed-font MUA ... you get the idea though -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD password encryption scheme.
On Tue, Sep 18, 2018 at 10:06:49AM +0300, Reio Remma wrote: > Hello! > > I'm curious as to what determines the password scheme used by OpenSMTPD on a > Linux system (CentOS 7 in my case). When setting up the system I ended up > with using SHA512, because it seems to be what works both in OpenSMTPD and > Dovecot, but would really like to use Blowfish instead. Dovecot seems to > work with it, but is there any way I can make OpenSMTPD also agree with it? > > Thanks, > Reio > that's an easy one: OpenSMTPD uses the crypt() function provided by your system and does not care about the password scheme used as this is a system-specific detail. On modern systems the crypt() function encodes the algorithm, rounds and salt as a prefix to the encrypted password, as shown below: $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m | | || | | ||__ encrypted password | | |__ begining of salt | |__ beginning of rounds |__ beginning of cipher But this encoding is only valid for my operating system, yours will have a different one and the only thing you need to care about is if password was generated using the same crypt() function that will be used validate it. I suggest your read the crypt(3) and passwd(1) man pages of your system. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
OpenSMTPD password encryption scheme.
Hello! I'm curious as to what determines the password scheme used by OpenSMTPD on a Linux system (CentOS 7 in my case). When setting up the system I ended up with using SHA512, because it seems to be what works both in OpenSMTPD and Dovecot, but would really like to use Blowfish instead. Dovecot seems to work with it, but is there any way I can make OpenSMTPD also agree with it? Thanks, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
