postfixadmin/DOCUMENTS/HASHING.md

PostfixAdmin Password Hash Support.

How are your passwords stored in the database.

They should not be stored in plain text.

Whatever format you choose will need to be supported by your IMAP server (and whatever provides SASL auth for Postfix)

Configuration

See config.inc.php (or config.local.php) and look for

$CONF['encrypt'] = 'something';

Supported Formats

This document is probably not complete.

It possibly provides better documentation than was present before. This may not say much.

cleartext

No hashing. May be useful for debugging.

Insecure. Try to avoid. May be useful for legacy purposes.

mysql_encrypt

Uses the MYSQL ENCRYPT() function (this uses 'crypt' underneath).

Can be secure.

Requires MySQL.

Should use a sha512 salt for new values.

md5crypt

md5crypt = uses md5crypt() function - in a 'crypt' like format.

e.g.

$1$c9809462$M0zeLuOvixH61C2csGN.U0

You should not use this for new installations

(it probably does not offer a high level of security)

md5

PHP's md5() function.

You should not use this (it does not offer a high level of security), but is probably better than cleartext.

system

Uses PHP's crypt function.

Probably throws an E_NOTICE. Avoid?

example : $1$tWgqTIuF$1HFciCXrhVpACGjBMxNr/0

authlib

See source code. Presumably useful for Courier based installations.

With $CONF['authlib_default_flavor'] = 'md5raw;`

might give something like :

{md5raw}3858f62230ac3c915f300c664312c63f

Based on md5, so avoid.

With $CONF['authlib_default_flavor'] = 'crypt;`

Uses PHP Crypt.

{crypt}blfqitzeBpyAE

Presumably weak.

With $CONF['authlib_default_flavor'] = 'SHA';

Uses sha1, base64 encoded. Unsalted. Avoid.

dovecot:CRYPT-METHOD

Uses dovecot binary to produce hash.

Pros -

• Minimal dependency on PostfixAdmin / PHP code.
• Hash should definitely work with dovecot!

Cons -

• file permissions and/or execution of doveadm by the web server may be problematic.
• requires: proc_open(...) - which might be blocked by e.g. safemode.
• doveadm may not be installed.
• possible issues with SELinux
• See https://github.com/postfixadmin/postfixadmin/issues/398 (file permissions)

Incomplete list of CRYPT-METHOD

• CRAM-MD5
• SHA
• SHA1
• SHA256
• SHA512
• CLEAR
• CLEARTEXT
• PLAIN
• PLAIN-TRUNC

If in doubt, try dovecot:SHA512

Dovecot generated passwords in your database should look a bit like :

{SHA256}JMQi5oHxwb0IKGx6r10jpfCI3NsLIZgGs6nleSRPAMU=

If you have problems, start by checking you can generate one on the command line using e..g

doveadm pw -s SHA256

php_crypt

Potentially the most secure.

By default it will generate a SHA512 salt. Output in crypt format.

Other methods :

• BLOWFISH
• SHA512
• SHA256
• DES (avoid)
• MD5 (avoid)

e.g.

$6$emcsNNrzGZSN64mI$A/bmacTGSp2UrdcPvaROrR2FPQS5KlnoU.a/0zmfpaubBO9o1ZcgyQIic4Qb59SMxA2H8YxgS1XILO1wZhjkZ0

You can specify the salting method using a :METHOD in the specification.

e.g.

$CONF['encrypt'] = 'php_crypt:SHA512';

You can make the hashing more 'difficult' by specifying an additional parameter like :

$CONF['encrypt'] = 'php_crypt:SHA512:5000';

which should change the 'cost' (BLOWFISH) or rounds (SHA256, SHA512).

finally you can ask that the generated hash has a specific prefix (e.g. {SHA512} ) like :

$CONF['encrypt'] = 'php_crypt:SHA512:5000:{SHA512-CRYPT}';

sha512.b64

See https://github.com/postfixadmin/postfixadmin/issues/58

No dovecot dependency; should support migration from md5crypt

Output is base64 encoded i.e. a hash like :

• $6$emcsNNrzGZSN64mI$A/bmacTGSp2UrdcPvaROrR2FPQS5KlnoU.a/0zmfpaubBO9o1ZcgyQIic4Qb59SMxA2H8YxgS1XILO1wZhjkZ0

is base64 encoded into :

• JDYkZW1jc05OcnpHWlNONjRtSSRBL2JtY...

and then formatted to become :

• {SHA512-CRYPT.B64}JDYkZW1jc05OcnpHWlNONjRtSSRBL2JtY....

This format should support older passwords with a {MD5-CRYPT} prefix, to allow you to migrate.