Clear text password and MySQL

Marko Cuk cuk at
Tue Jun 22 03:11:36 EDT 2004

Thanks for that. I need clear text passwords, but anyway, it helped me 
much, because there is lot of info how to do that and all informations 
are different...

sasl_mysql_xxx or sasl_
or. sasl_sql_statement vs sasl_sql_select ( ok, for this one I found 
somewhere, that it has changed )...

Marko Cuk

Eric S. Pulley wrote:

> Hi list,
> I just thought I share this since I see a lot of people using mysql 
> with clear text passwords.  It's probably obvious to everyone but 
> since I never see anyone talking about it I though I'd share my config 
> for using encrypted password in mysql.  This config makes it so your 
> users can use secure methods of authentication over the Internet and 
> still have there data in an encrypted form in the database.
> It's not perfect. An admin that knows the SALT you are using to 
> encrypt the password field can retrieve the decrypted passwords from 
> the db.  But I find this to be an advantage in many cases.
> Using mysql 4+ you can encrypt fields with the 
> AES_ENCRYPT("text-to-encrypt","SALT") function.  Just make sure your 
> password field is a blob (binary varchar works too I think).
> so your settings in imapd.conf are:
> sasl_pwcheck_method: auxprop
> sasl_sql_engine: mysql
> sasl_sql_user: Yada
> sasl_sql_passwd: Yadayada
> sasl_sql_hostnames: localhost or whatever
> sasl_sql_database: YadaDB
> sasl_sql_statement: SELECT AES_DECRYPT(password_field,"SALT_YADA") 
> FROM users_table WHERE username_field ='%u'
> In this scenario you are still passing the SALT in clear text to the 
> db but IMO this is much better than having your users logging in with 
> plaintext passwords over an open network.  Especially if your DB is on 
> the same host as cyrus-imap since you can contain it to a socket and 
> not use a network at all for the DB lookups.
> Also your mail server and user accounts are only as secure as the 
> imapd.conf file.  So use at your own risk.
> Anyway I hope someone finds this useful.
Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list