IMAP/POP3 authentication: what strong password hashing mechanism for a mysql backend?

Mon, 12/03/2012 - 12:05 - augustin
Project:Linux server
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active
Project wiki:Server
Related pages:#310: Courier
Description

I am setting up a postscript/courier server. I am using a database backend to store users.

/etc/postfix/main.cf has:

virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

/etc/courier/authdaemonrc has:

authmodulelist="authmysql"

For both postscript and courier, the mysql configuration files are properly set with the DB name, table, DB user and DB password. Both daemons can connect to the mysql server and check for users in the database.

Users in the database were added using the mysql encrypt() command like this:

INSERT INTO users (id,name,maildir,crypt) VALUES
        ('user@example.org','user','user/',encrypt('password'));

A debugging session with telnet showed that only the first 8 characters are taken into account. The password can be longer, but then it does not matter.

Comments

#1

augustin - 12/03/2012 - 12:10

http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#functio...

ENCRYPT(str[,salt])
Encrypts str using the Unix crypt() system call and returns a binary string. The salt argument must be a string with at least two characters or the result will be NULL. If no salt argument is given, a random value is used.
mysql> SELECT ENCRYPT('hello');
-> 'VxuFAJXVARROc'

ENCRYPT() ignores all but the first eight characters of str, at least on some systems. This behavior is determined by the implementation of the underlying crypt() system call.

That already explains a lot.

Now, do I need to use encrypt() or is there a better solution?

#2

augustin - 12/03/2012 - 13:35
Title:IMAP/POP3 authentication: weird password behaviour with courier and mysql» IMAP/POP3 authentication: what strong password hashing mechanism for a mysql backend?

I asked here:
http://ubuntuforums.org/showthread.php?t=2090730