Menu
Previously (MySQL 5.7) we was using this command to add a new email address into an existing table:
INSERT INTO `servermail`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
('1', '1', ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), '[email protected]'),
then dovecot was able to authenticate users. (more information about dovecot password scheme)
Now Encrypt has been deprecated in the recent versions of MySQL. (link)
I want to rewrite that command using SHA2 but I wasn't succeed.
Edit:
This could help someone to use How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin to configure a Mail Server with version 8.0 of Mysql.
605
CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = vpvKh.SaNbR6s) Dovecot uses libc’s crypt () function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes.
sha256_password supports connections over secure transport. sha256_password also supports encrypted password exchange using RSA over unencrypted connections if MySQL is compiled using OpenSSL, and the MySQL server to which you wish to connect is configured to support RSA (using the RSA configuration procedure given later in this section).
The scheme defaults to CRYPT (with the $2y$ bcrypt format), but you can use -s to override it: To provide password, for scripting purposes, you can use either Password databases have a default password scheme: SQL : See default_pass_scheme setting in dovecot-sql.conf.ext LDAP: See default_pass_scheme setting in dovecot-ldap.conf.ext
In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password. For information about the implications of this change for server operation and compatibility of the server with clients and connectors, see caching_sha2_password as the Preferred Authentication Plugin .
SHA512-CRYPT seems to be impossible to implement within MySQL and as far Dovecot goes, I'll admit I can't understand why they suggest using encryption to begin with. Using a strong hash as the OP suggested works at least as well and is more secure.
Since I prefer my passwords with extra salt, here's how I'm using Dovecot's SSHA512 which is the "Salted SHA512 sum of the password stored in base64":
INSERT INTO `virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
(NULL, '1', (SELECT REPLACE(TO_BASE64(CONCAT(UNHEX(SHA2(CONCAT('YourPasswordHere', v.salt), 512)), v.salt)), '\n', '') AS salted FROM (SELECT SHA2(RAND(), 512) AS salt) v), '[email protected]');
Or to update a password:
UPDATE virtual_users
SET `password` = (
SELECT REPLACE(TO_BASE64(CONCAT(UNHEX(SHA2(CONCAT('YourPasswordHere', v.salt), 512)), v.salt)), '\n', '') AS salted
FROM (
SELECT SHA2(RAND(), 512) AS salt
) v
)
WHERE email = '[email protected]';
These queries:
TO_BASE64() functionThe result is a 256 byte long string so you may need to update your password field to VARCHAR(256).
There are a number of tutorials that suggest using doveadm to manually generate the encrypted password and while this works well, I find it a bit more cumbersome. For those interested you can call it like so:
doveadm pw -s SHA512-CRYPT -p "YourPasswordHere"
Even more useful is the ability to validate your generated passwords with the same utility:
doveadm auth test [email protected] YourPasswordHere
Finally I changed the default method dovecote uses for its user authentication from SHA512-CRYPT to SHA512. I think it's not less secure than that but is supported by MySQL 8.
After that I used this command to add a new user to the table.
INSERT INTO `servermail`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
('1', '1', TO_BASE64(UNHEX(SHA2('password', 512))), '[email protected]');
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With