Skip to content

Commit 166c13b

Browse files
barryobarryo
committed
Note of security issue as per opensolutions/OSS-Framework#43 
1 parent 791c836 commit 166c13b

File tree

1 file changed

+15
-3
lines changed

1 file changed

+15
-3
lines changed

application/configs/application.ini.dist

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -139,15 +139,27 @@ defaults.mailbox.min_password_length = 8
139139
;
140140
; "plain" - password stored as clear text
141141
; "md5" - password hashed using MD5 without salt (PHP md5())
142-
; "md5.salted" - password hashed using MD5 with salt (see below)
142+
; "md5-salted" - password hashed using MD5 with salt (salt set in defaults.mailbox.password_salt above)
143143
; "sha1" - password hashed using sha1 without salt
144-
; "sha1.salted" - password hashed using sha1 with salt defined below
144+
; "sha1-salted" - password hashed using sha1 with salt (salt set in defaults.mailbox.password_salt above)
145145
; "crypt:XXX" - call the PHP crypt function (with random salt) where XXX is one of: md5, blowfish, sha256, sha512
146146
; "dovecot:XXX" - call the Dovecot password generator (see next option below) and use the
147147
; scheme specified by XXX. To see available schemes, use 'dovecotpw -l'
148148
; or 'doveadm pw -l'
149149

150-
defaults.mailbox.password_scheme = "md5.salted"
150+
; You should pick a hashing function as string as your mail system allows.
151+
; At time of writing, Dovecot ( http://wiki2.dovecot.org/Authentication/PasswordSchemes ) recommends one of
152+
; BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT in descending order of strength
153+
defaults.mailbox.password_scheme = "dovecot:BLF-CRYPT"
154+
155+
; April 2016 - Bad salts - it was pointed out that a typo in the code below meant that
156+
; the now deprecated md5.salted and sha1.salted (as opposed to their hyphenated versions above)
157+
; didn't actually use the requested salt string but a fixed salt of "md5.salted" and "sha1.salted"
158+
; respectivily. These options still work for backwards compatibility.
159+
; See:
160+
; https://github.com/opensolutions/OSS-Framework/issues/43#issuecomment-207040421
161+
; https://github.com/opensolutions/OSS-Framework/commit/b3d669a81f8214032a70e594472ece9fe9322fe2
162+
151163

152164
; The path to (and initial option(s) if necessary) the Dovecot password generator. Typical
153165
; values may be something like:

0 commit comments

Comments
 (0)