Docker-mailserver: Password security

Hi,

I'm working (not yet released) on a mysql with modern crypto for storing users... But I'm out of time, if some one can help or discuss about it, I can publish it in github.

Cheers

On Mar 4, 2016 1:44 PM, Edwin Smulders [email protected] wrote:

So, password security. You might have heard that you shouldn't store these in plain text.

I've looked at your setup and I feel that it could be improved by storing both the courier userdb and the sasldb locally, and providing a simple script to add users. That way we could remove the plain text passwords in accounts.cf.

However, docker is not my area of expertise. Can you tell me what the challenges are to manage these files?

—
Reply to this email directly or view it on GitHub.

Why not something lighter like sqlite? As you can see, this image is not like most docker mail images that you can find with dovecot and *sql databases that require other daemons to be started.

This allow to version configuration with a very light and portable solution (data being the only thing that has to be backuped)

@Dutchy-: I agree when you talk about security when storing passwords clear in git or whatever.

@millaguie: If you have a solution that can match the approach we have with this image, staying different from others, I'll be happy to merge it here (and even to help of you need).

Let talk about that.

I feel like sqlite might be a good option here to solve this problem, but it could be some work to write the queries. In sqlite we can also use crypt for hashing, that's way better than md5.

Looking at https://github.com/tomav/docker-mailserver/blob/master/start-mailserver.sh#L25 we can see md5 is used for userdbpw. If we just remove that piped segment, we can simply supply a crypt hash (userdb supports that) in accounts.cf.

I don't know what hashing saslpasswd2 uses. Maybe we can find out if sasldb supports crypt somewhere.

@Dutchy- could you do a Proof Of Concept?

Maybe, I don't know how much time I have. I made a checklist for steps (the order can vary a bit) to investigate this though, taking into account that i dont have experience with building docker images yet.

• [ ] Setup docker-mailserver in its current form to make sure it works.
• [ ] Build the docker image myself and make sure it still works.
• [ ] Remove the userdbpw pipe and supply a crypt hash in accounts.cf. Ignore smtp auth at this time, check if imap works.
• [ ] Modify start-mailserver.sh to add the crypt hashes from accounts.cf to an sqlite database.
• [ ] Figure out if we can call crypt in an sqlite query. IMPORTANT.
• [ ] Figure out how to authenticate to a db using something like http://www.postfix.org/SASL_README.html#auxprop_sql . Looks fairly simple though.

Hi,

I'm working on it because I need it for a client. As soon it's finished, or at least, working I'll share it... Give me some weeks.

I'll keep compatibility and keep this working with the current format. I'm using a system variable to define witch system you will use, and some others to configure db access.

Cheers

On Mar 4, 2016 5:03 PM, Thomas VIAL [email protected] wrote:

Why not something lighter like sqlite? As you can see, this image is not like most docker mail images that you can find with dovecot and *sql databases that require other daemons to be started.

This allow to version configuration with a very light and portable solution (data being the only thing that has to be backuped)

@Dutchy-: I agree when you talk about security when storing passwords clear in git or whatever.

@millaguie: If you have a solution that can match the approach we have with this image, staying different from others, I'll be happy to merge it here (and even to help of you need).

Let talk about that.

—
Reply to this email directly or view it on GitHub.

Just a heads up, I concluded this week that I do not have time to look into this matter myself and it's unlikely that I will. Hopefully somebody else can use the points to investigate that I wrote down :)

One final thing I should note: with hashed passwords, sasl will no longer support challenge based authentication methods, but that's ok with proper transport security (TLS).

I think this project is very interesting :)
Since I don't like clear text passwords me too, I'm working on a possible solution.
My current version - not completely tested - works as follows:

• On startup it accepts "accounts.cf" file _OR_ two DBs for sasl and courier
• In case DBs are provided (/tmp/postfix dir), they are put into place in the right directories with the right names and permissions, otherwise the usual startup is followed (with clear text pwd in accounts.cf !).

I've implemented an helper script that could be used to generate those DBs before starting the server (like we do with "generate-ssl-certificate").

That way as much as possible of the current implementation is preserved, giving everyone the choice to use encrypted passwords (directly in the mail DBs) or clear text password in accounts.cf.

If interested I can share my changes...

Thank you @00angus. We have to add password security, you're all right with this concern.
The clear passwords have to be kept out of the project?

@tomav we could leave the choice to the user ... ?
It would have been preferable to put encrypted passwd in accounts.cf ... but I've not found a solution for inserting the password in sasldb !

https://github.com/tomav/docker-mailserver/issues/87 proposal could help here?

@tomav : yes, I think so. Dovecot can auth users against several password DBs.
From the Dovecot wiki page we could use "passwd-file" for the database, I think.

:+1:

https://github.com/tomav/docker-mailserver/pull/107

https://github.com/tomav/docker-mailserver/issues/109

@tomav I'm currently working on a dovecot based version. This way we could have a single userdb with encrypted passwd. There's a lot of work still to be done, but I'm starting to see some results.

This can be part of v2. I think it will bring to much changes for a minor update.