Switch from BLF-CRYPT to SHA512-CRYPT

Make scripts/measure_tls_and_logins.py executable
dovecot: enable authentication cache
2026-05-11 16:34:39 +00:00 · 2023-10-15 20:50:06 +00:00 · 2023-10-15 20:42:09 +00:00 · 2023-10-15 20:42:09 +00:00 · 2023-10-15 20:42:09 +00:00 · 2023-10-15 20:42:09 +00:00
6 changed files with 23 additions and 6 deletions
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -16,7 +16,7 @@ def encrypt_password(password: str):
    password = password.encode("ascii")
    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
    process = subprocess.Popen(
-        ["doveadm", "pw", "-s", "BLF-CRYPT"],
+        ["doveadm", "pw", "-s", "SHA512-CRYPT"],
        stdin=subprocess.PIPE,
        stdout=subprocess.PIPE,
    )
@@ -59,7 +59,7 @@ def handle_dovecot_request(msg, db):
    if short_command == "L":  # LOOKUP
        parts = msg[1:].split("\t")
        keyname, user = parts[:2]
-        namespace, type, arg = keyname.split("/", 3)
+        namespace, type, *args = keyname.split("/")
        reply_command = "F"
        res = ""
        if namespace == "shared":
@@ -70,7 +70,7 @@ def handle_dovecot_request(msg, db):
                else:
                    reply_command = "N"
            elif type == "passdb":
-                res = lookup_passdb(db, user, password=arg)
+                res = lookup_passdb(db, user, password=args[0])
                if res:
                    reply_command = "O"
                else:
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
@@ -1,5 +1,5 @@
 uri = proxy:/run/dovecot/doveauth.socket:auth
 iterate_disable = yes
 default_pass_scheme = plain
-password_key = passdb/%w
+password_key = passdb/%w/%u
-user_key = userdb/%u
+user_key = userdb/%u
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -8,6 +8,7 @@ auth_verbose = yes
 auth_debug = yes
 auth_debug_passwords = yes
 auth_verbose_passwords = plain
 auth_cache_size = 100M
 # Authentication for system users.
 passdb {
--- a/online-tests/conftest.py
+++ b/online-tests/conftest.py
@@ -4,6 +4,7 @@ import imaplib
 import smtplib
 import itertools
 import pytest
 import time
@pytest.fixture
@@ -49,12 +50,13 @@ class SmtpConn:
@pytest.fixture
 def gencreds(maildomain):
    prefix = str(time.time())
    count = itertools.count()
    def gen():
        while 1:
            num = next(count)
-            yield f"user{num}@{maildomain}", f"password{num}"
+            yield f"user{prefix}_{num}@{maildomain}", f"password{prefix}_{num}"
    return lambda: next(gen())
--- a/online-tests/test_0_login.py
+++ b/online-tests/test_0_login.py
@@ -12,6 +12,19 @@ class TestDovecot:
        imap.connect()
        imap.login(user, password)
    def test_login_same_password(self, imap, gencreds):
        """Test two different users logging in with the same password.
        This ensures that authentication process does not confuse the users
        by using only the password hash as a key.
        """
        user1, password1 = gencreds()
        user2, _password2 = gencreds()
        imap.connect()
        imap.login(user1, password1)
        imap.connect()
        imap.login(user2, password1)
    def test_login_fail(self, imap, gencreds):
        user, password = gencreds()
        imap.connect()
--- a/scripts/measure_tls_and_logins.py
+++ b/scripts/measure_tls_and_logins.py
@@ -1,3 +1,4 @@
 #!/usr/bin/env python3
 import os
 import time
 import imaplib
Author	SHA1	Message	Date
link2xt	7e15094dd1	Switch from BLF-CRYPT to SHA512-CRYPT	2023-10-15 20:50:06 +00:00
link2xt	e19cce7c69	Make scripts/measure_tls_and_logins.py executable	2023-10-15 20:42:09 +00:00
link2xt	1d312f7cfe	dovecot: enable authentication cache	2023-10-15 20:42:09 +00:00
link2xt	8bed8578ad	Test different users logging in with the same password	2023-10-15 20:42:09 +00:00
link2xt	0bfeb2ae5e	Avoid reusing accounts between tests Add time as a prefix.	2023-10-15 20:42:09 +00:00