Storing SASL passwords in database in hashed form (e.g. PBKDF2)

Johannes Bauer dfnsonfsduifb at gmx.de
Thu Jan 30 16:29:28 EST 2014


Hi list,

I'm a user of SASL2 because it is needed for smtpd authentication my
Postfix. Recently I switched SASL from the local Berekely DB to a mySQL
database.

However, I was quite surprised to see that the only way to have this
setup running (SASL + mySQL) is to have unencrypted passwords in the
database. Is this really correct or am I missing something? Ideally I'd
like to have PBKDF2 in the database or at least something of similar
security.

I realized there's the mysql-pam plugin that I could somehow configure
with SASL, but it is ancient (2006) and uses extremely crappy crypto as
well (MD5 really isn't what you want to store passwords in).

I'm also well aware that this limits Postfix to PLAIN authentication.
This is perfectly fine as I'm exclusively using smtps (i.e. TLS) and
therefore is not a problem. Having plain text passwords in a database is.

Appreciate any help,
Thanks in advance,
Best regards,
Johannes


More information about the Cyrus-sasl mailing list