Switch from BLF-CRYPT to SHA512-CRYPT

Add time as a prefix.

chatmaild/src/chatmaild/dictproxy.py

@@ -16,7 +16,7 @@ def encrypt_password(password: str):
     password = password.encode("ascii")
     # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
     process = subprocess.Popen(
-        ["doveadm", "pw", "-s", "BLF-CRYPT"],
+        ["doveadm", "pw", "-s", "SHA512-CRYPT"],
         stdin=subprocess.PIPE,
         stdout=subprocess.PIPE,
     )
@@ -59,7 +59,7 @@ def handle_dovecot_request(msg, db):
     if short_command == "L":  # LOOKUP
         parts = msg[1:].split("\t")
         keyname, user = parts[:2]
-        namespace, type, arg = keyname.split("/", 3)
+        namespace, type, *args = keyname.split("/")
         reply_command = "F"
         res = ""
         if namespace == "shared":
@@ -70,7 +70,7 @@ def handle_dovecot_request(msg, db):
                 else:
                     reply_command = "N"
             elif type == "passdb":
-                res = lookup_passdb(db, user, password=arg)
+                res = lookup_passdb(db, user, password=args[0])
                 if res:
                     reply_command = "O"
                 else:

deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf

@@ -1,5 +1,5 @@
 uri = proxy:/run/dovecot/doveauth.socket:auth
 iterate_disable = yes
 default_pass_scheme = plain
-password_key = passdb/%w
-user_key = userdb/%u
+password_key = passdb/%w/%u
+user_key = userdb/%u

deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2

@@ -8,6 +8,7 @@ auth_verbose = yes
 auth_debug = yes
 auth_debug_passwords = yes
 auth_verbose_passwords = plain
+auth_cache_size = 100M
 
 # Authentication for system users.
 passdb {

online-tests/conftest.py

@@ -4,6 +4,7 @@ import imaplib
 import smtplib
 import itertools
 import pytest
+import time
 
 
 @pytest.fixture
@@ -49,12 +50,13 @@ class SmtpConn:
 
 @pytest.fixture
 def gencreds(maildomain):
+    prefix = str(time.time())
     count = itertools.count()
 
     def gen():
         while 1:
             num = next(count)
-            yield f"user{num}@{maildomain}", f"password{num}"
+            yield f"user{prefix}_{num}@{maildomain}", f"password{prefix}_{num}"
 
     return lambda: next(gen())
 

online-tests/test_0_login.py

@@ -12,6 +12,19 @@ class TestDovecot:
         imap.connect()
         imap.login(user, password)
 
+    def test_login_same_password(self, imap, gencreds):
+        """Test two different users logging in with the same password.
+
+        This ensures that authentication process does not confuse the users
+        by using only the password hash as a key.
+        """
+        user1, password1 = gencreds()
+        user2, _password2 = gencreds()
+        imap.connect()
+        imap.login(user1, password1)
+        imap.connect()
+        imap.login(user2, password1)
+
     def test_login_fail(self, imap, gencreds):
         user, password = gencreds()
         imap.connect()

scripts/measure_tls_and_logins.py

@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 import os
 import time
 import imaplib