0

In our postfix setup, we are using the pam_mysql module to authenticate the user from the MySQL database. ( similar to this link)

Which is perfectly working fine. We are using SHA512_CRYPT() for storing password using ENCRYPT() MySQL function.

However, ENCRYPT() function is not available on MYSQL 8. Hence we are trying to figure out an alternative way to move the encryption from SHA512_CRYPT to SHA512 / SHA256 or similar

Even though the repo support for sha512 and it's not available in the latest release pam_mysql-0.8.1-0.22

Only other options available with the latest version of pam_mysql are a crypt,md5, and sha1. Since these are not good hashing algos we don't want to use them.

Also, do not want to overload Dovecot for authentication, hence not using Dovecot SASL auth postfix authentication

Please suggest an authentication mechanism which we can use with postfix to authenticate the user with SHA512 or SHA256 ( Not SHA512-CRYPT) from MySQL Database.

Arani
  • 326
  • 3
  • 20
seena e
  • 1
  • 3
  • Why do you use pam_mysql? As far as I remember postfix supports mysql ootb. In case you are using dovecot - you can use it to authenticate your users. – ALex_hha Feb 13 '19 at 15:58
  • We have different set of hosts for postfix and dovecot and wanted to decouple the authentication hence looking for authentication at postfix side. Postfix do support mysql for other queries but for authentication we had to use pam_mysql as suggested at http://www.postfix.org/SASL_README.html#auxprop_sql – seena e Feb 13 '19 at 17:29

1 Answers1

0

ENCRYPT went away due to weaknesses. SHA256 (or more) is plenty good for one-way encryption, especially if you add a "salt".

Using sha512 is akin to building a house sufficiently strong to withstand an asteroid crashing on it.

Rick James
  • 2,463
  • 1
  • 6
  • 13