[wplug-bsd] Dovecot IMAP and FreeBSD

Dan Pelleg daniel+wplug at pelleg.org
Fri Nov 12 11:11:13 EST 2004 

Bill Moran <wmoran at potentialtech.com> writes:

> Brandon Kuczenski <brandon at 301south.net> wrote:
> > Bill -- IIRC, you recommended the 'dovecot' IMAP client.  I installed the
> > port because it seems to do everything I want it to do, and be
> > straightforward to configure.
> > 
> > However, because I anticipate that IMAP will be the most-used service of
> > this box once I enable it (replacing ssh), I want to make sure I got the
> > security right.
> > 
> > First of all, I don't have to use SSL as long as I use an md5-style
> > password-hashing routine, right?  Then passwords are encrypted but emails
> > themselves are sent in plaintext?
> 
> That's correct.  Personally, I don't consider this secure enough.  I
> prefer to encrypt so my mails can't be read in transit, but I'm pretty
> paranoid.
> 

I agree. And seeing how nearly all client support IMAP over SSL, I don't
see a reason not to do this.

> > Second, I don't want my users to use their shell account passwords for
> > IMAP.  It looks as though I can specify one file (say, /etc/passwd) for
> > the user database, and then use a separate file (say, /etc/imap.passwd)
> > for the password repository.  My question: how do I create the password
> > hashes that go in that password file?
> 
> I dodged this problem by using SSL and forcing users to send their
> passwords in the "clear" (which really isn't in the clear, since it's
> SSL encrypted)  I'm also keeping the user list in MySQL (although I
> plan to move to Postgres).
> 

Here's what I do. This is (essentially) the file I have pointed by
these two lines in dovecot.conf:
auth_userdb = passwd-file /etc/imap.passwd
auth_passdb = passwd-file /etc/imap.passwd

/etc/imap.passwd:
# generate password:  perl -e 'printf "%s\n", crypt(<>, "XX")'
james::1337:1337:James Doe:/home/james:::
john::13337:13337:John Doe:/home/john:::/var/mail/john

XX is the salt. The second line is for a role account that has users
reading mail both over IMAP and locally. Yes, with dovecot, that works.

-- 

  Dan Pelleg

More information about the wplug-bsd mailing list