Docker setup_password not working

[MaximSidorovRep]

Hi,
I try run docker container:
docker run -e POSTFIXADMIN_DB_TYPE=sqlite \ -e POSTFIXADMIN_SETUP_PASSWORD=123456 \ --name postfixadmin \ -p 8080:80 \ postfixadmin
After start UI i try to autorization with setup_password = 123456 (http://localhost:8080/setup.php)

what am I doing wrong?

[DavidGoodwin]

the variable needs to be the hash variant -

e.g.
$2y$10$t8WJe1Iy/5d2D5qMvC1y7e78ToDgee0MPr6WEyOqAHuHoJxqBvgeu if you want 'topsecret99'.

Use :

  VALUE=$(php -r "echo password_hash('something-goes-here', PASSWORD_DEFAULT);")

or similar.

[MaximSidorovRep]

Worked, thanks for help.

[mmm8955405]

I think this is a painful logic

[mmm8955405]

More than one person has encountered this problem

[DavidGoodwin]

i wasn't aware it was such a problem.

The docker image could look to see whether the env var you've defined for POSTFIXADMIN_SETUP_PASSWORD starts with a '$', and if not, could generate the bcrypt hash using the php stuff above?

[heliosyne]

The docker image could look to see whether the env var you've defined for POSTFIXADMIN_SETUP_PASSWORD starts with a '$', and if not, could generate the bcrypt hash using the php stuff above?

Maybe two variables: POSTFIXADMIN_SETUP_PASSWORD_HASH and POSTFIXADMIN_SETUP_PASSWORD_CLEARTEXT

It makes the variable names self-documenting (since the issue seems to be people not reading README.md) and avoids magic strings.

[mmm8955405]

This has nothing to do with docker and special characters. And the question of password has been asked by many people. Which system can achieve 100% security, all you have to do is let the user define his user name and password, and provide him with the way to change his password after logging in, which is enough. Now you want users to set what md5hash and modify the files in the image, which seems to be something that primary school students do. Just when I wanted to use postfix admin, I encountered this painful logic, which has nothing to do with whether to read the document or not.

[DavidGoodwin]

this bug should probably really be in https://github.com/postfixadmin/docker ...

[DavidGoodwin]

@mmm8955405 you said ...

all you have to do is let the user define his user name and password, and provide him with the way to change his password after logging in, which is enough

The setup password is used to restrict who can add new admin users, and see some defaulted error reporting/help for the system. It can't be stored in the SQL database as the setup page may be running before the database is ready. The setup.php page needs to be restricted so the public cannot see sensitive information and they shouldn't be able to add arbitrary super admins.

Now you want users to set what md5hash and modify the files in the image, which seems to be something that primary school students do....

There's no need to modify files in the docker image.

As an administrator setting up Postfixadmin you need to decide what password hashing mechanism you're going to use. You may have constraints due to supporting legacy users / software or what needs to integrate with the database (e.g. dovecot).