1

I've been struggling with Postfix for past few days. Finally I managed to set it up with virtual mailboxes listed in MySQL and passwords encrypted with PAM. It was just then that I realized I need the passwords to be stored not-encrypted!

I can't seem to find whether it's possible or not. Can someone please guide me to the right direction?

[UPDATE]

To explain myself, I'm making a web application and I want the same username and password of a user to be his email's too. So I configured Postfix and Courier to use my webapp's database so users come with an email address once they have an account in the webapp. The thing is, I need to access users' inboxes in the webapp so I have to be able to pass the clear form of users' password through IMAP protocol to Courier in my code. That's why I need all of the parties to use a clear form of password.

Mehran
  • 519
  • 1
  • 5
  • 20
  • PAM uses encryption libraries to do its encryption (Blowfish, MD5, etc), I'm not sure what the default encryption library is (linux_crypt maybe)? – NickW May 23 '14 at 14:38
  • The thing is, I want it to use no encryption at all! I want the passwords to be stored and later compared as they are, in clear form. – Mehran May 23 '14 at 14:40
  • 1
    Storing plain text passwords is a horrible, horrible idea. Do you mean you want to be able to use plain text passwords in POP3/IMAP/SMTPAuth ? – NickW May 23 '14 at 14:43
  • Err, not to jump on you, but storing passwords cleartext is extremely, *extremely* bad form, not to mention reckless with your users' passwords who will inevitably be using the same passwords elsewhere. Could you explain your use-case for needing cleartext passwords? The only one I can think of is RADIUS, and that's because RADIUS is a jerk. – Andrew Domaszek May 23 '14 at 14:43
  • I've added my use case. – Mehran May 23 '14 at 14:52
  • You really need to learn how to use the encryption libraries in your language of choice. – NickW May 23 '14 at 15:02
  • I'm not sure but I guess that all of the encryption algorithms used in such applications (Postfix, Courier, etc), are one way algorithms. Otherwise it's pointless to encrypt passwords. And if that's the case, there's nothing I can do in my app to help me overcome this problem. They need to be in clear form. – Mehran May 23 '14 at 15:06
  • Of course they're all one way. You say that Postfix and Courier use the same database, why can't you use MD5crypt, the same way they do? – NickW May 23 '14 at 15:24
  • You need to think of the scenario, my code is going to use the password to authenticate itself in SMTP/IMAP server. If the password is stored in MD5, how it can do that? – Mehran May 23 '14 at 15:28
  • 2
    By taking the user input, comparing it to the DB, then passing the user input to the server if it matches. Doesn't require plaintext in the DB.. – NickW May 23 '14 at 15:48
  • You are absolutely right. I can take in user's password and if it was correct then store it in its session to pass to other servers later on. Thanks a lot. – Mehran May 23 '14 at 15:52
  • 2
    @Mehran very happy that I persuaded you to avoid plaintext passwords in the DB :) – NickW May 23 '14 at 16:34

1 Answers1

0

As Nick told me, it is a bad practice to store passwords in clear form in database. I managed to find a way around it so I'll be storing passwords encrypted after all. But if there's any scenario that can not escape this bad practice, I must say that my tests showed me that even though I configured Postfix to use PAM for encryption but when I stored passwords in clear form, they would still be matched!

Mehran
  • 519
  • 1
  • 5
  • 20