-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password security #96
Comments
Hi, I'm working (not yet released) on a mysql with modern crypto for storing users... But I'm out of time, if some one can help or discuss about it, I can publish it in github. Cheers On Mar 4, 2016 1:44 PM, Edwin Smulders notifications@github.com wrote:
|
Why not something lighter like sqlite? As you can see, this image is not like most docker mail images that you can find with dovecot and *sql databases that require other daemons to be started. This allow to version configuration with a very light and portable solution (data being the only thing that has to be backuped) @Dutchy-: I agree when you talk about security when storing passwords clear in git or whatever. @millaguie: If you have a solution that can match the approach we have with this image, staying different from others, I'll be happy to merge it here (and even to help of you need). Let talk about that. |
I feel like sqlite might be a good option here to solve this problem, but it could be some work to write the queries. In sqlite we can also use crypt for hashing, that's way better than md5. Looking at https://github.com/tomav/docker-mailserver/blob/master/start-mailserver.sh#L25 we can see md5 is used for I don't know what hashing |
@Dutchy- could you do a Proof Of Concept? |
Maybe, I don't know how much time I have. I made a checklist for steps (the order can vary a bit) to investigate this though, taking into account that i dont have experience with building docker images yet.
|
Hi, I'm working on it because I need it for a client. As soon it's finished, or at least, working I'll share it... Give me some weeks. I'll keep compatibility and keep this working with the current format. I'm using a system variable to define witch system you will use, and some others to configure db access. Cheers On Mar 4, 2016 5:03 PM, Thomas VIAL notifications@github.com wrote:
|
Just a heads up, I concluded this week that I do not have time to look into this matter myself and it's unlikely that I will. Hopefully somebody else can use the points to investigate that I wrote down :) One final thing I should note: with hashed passwords, sasl will no longer support challenge based authentication methods, but that's ok with proper transport security (TLS). |
I think this project is very interesting :)
I've implemented an helper script that could be used to generate those DBs before starting the server (like we do with "generate-ssl-certificate"). That way as much as possible of the current implementation is preserved, giving everyone the choice to use encrypted passwords (directly in the mail DBs) or clear text password in accounts.cf. If interested I can share my changes... |
Thank you @00angus. We have to add password security, you're all right with this concern. |
@tomav we could leave the choice to the user ... ? |
#87 proposal could help here? |
@tomav : yes, I think so. Dovecot can auth users against several password DBs. |
👍 |
@tomav I'm currently working on a dovecot based version. This way we could have a single userdb with encrypted passwd. There's a lot of work still to be done, but I'm starting to see some results. |
This can be part of v2. I think it will bring to much changes for a minor update. |
So, password security. You might have heard that you shouldn't store these in plain text.
I've looked at your setup and I feel that it could be improved by storing both the courier userdb and the sasldb locally, and providing a simple script to add users. That way we could remove the plain text passwords in accounts.cf.
However, docker is not my area of expertise. Can you tell me what the challenges are to manage these files?
The text was updated successfully, but these errors were encountered: