Create Virtual Accounts with CRAM-MD5
Posted by mike Virtual Accounts with CRAM-MD5
The major disadvantage of PLAIN text passwords on the server of course is that they are readable. Even if your communication with the server is encrypted it is troubling to have readable passwords on the server. You can easily change this by using the dovecotpw command and creating encrypted passwords.
As root login to the mail server and use the dovecotpw command as seen below. It will ask for the password you want to encrypt and then provide you with the output.
# dovecotpw
Enter new password:
Retype new password:
{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
In the /etc/dovecot directory create two files, userdb for a list of users and passdb for the encrypted passwords.
userdb
This file has a list of the users and the location of their virtual accounts. Note the virtual accounts are accounts that you have set up for the domains that you manage mail for, this is not the canonical domain on the server. For example, if you set up a mail server and the hostname is mail.my_mail_server.com then mail accounts that are local will be canonical accounts with a home directory. However, virtual accounts for the virtual domains that your mail server uses will not be able to login to the server as you can see from the /bin/false. These are only mail users who can retrieve mail.
tom@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
sue@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
joe@secondexample.com::510:510::/var/spool/vhosts/spidertools.com/:/bin/false::
passdb
The passdb will include the users and their passwords. You can see that virtual users must be indicated by username and the domain they have an account with. The password that was encrypted is then listed after their name.
tom@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
sue@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
joe@secondexample.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
Here is the configuration you must add to /etc/dovecot.conf in order to use CRAM-MD5 with the virtual accounts.
}
default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain cram-md5
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}
Trackbacks
Tuesday, 10 November, 2009
Social comments and analytics for this post…
This post was mentioned on Twitter by postfixmail: Just finished a new blog post Create Virtual Accounts with CRAM-MD5 #dovecot #postfix #security http://bit.ly/f0ZVM...
You must be logged in to post a comment.