docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon postfixadmin

Support SCRAM-SHA-1 via dovecot-core

Open mtdcr opened this issue 10 months ago • 4 comments

Hi @DavidGoodwin,

would you mind adding dovecot-core to your Docker images? This would allow me to use your images instead of building my own.

According to https://github.com/postfixadmin/postfixadmin/issues/313 implementing SCRAM-SHA-* without doveadm is not planned, so installing dovecot-core by default seems sensible.

Originally posted in https://github.com/postfixadmin/docker/issues/49#issuecomment-1817193804

mtdcr avatar Jan 15 '25 21:01 mtdcr

I think this would just need adding to the two Dockerfile*.template files. Alpine doesn't have a "dovecot-core" though - https://pkgs.alpinelinux.org/packages?name=dovecot&branch=edge&repo=&arch=x86_64&origin=&flagged=&maintainer=

Any opinions @J0WI ?

DavidGoodwin avatar Jan 16 '25 09:01 DavidGoodwin

doveadm is in dovecot: https://pkgs.alpinelinux.org/contents?file=doveadm&path=&name=&branch=edge&repo=&arch=

Adding dovecot* to the image just for more password hashes sounds a bit overkill, isn't it? Are those hashes widely used?

J0WI avatar Jan 16 '25 21:01 J0WI

The SCRAM family adds protection against many known attacks compared to simple hashes. It's probably not as widespread, because many mail clients lack support for it. However, security-aware people may want to opt-in to these authentication mechanisms. It can be offered in parallel to weaker mechanisms if desired. I have no idea how many servers offer it as an option.

See https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism for further information.

Of course, the smaller the container image, the better. However, excluding advanced authentication mechanisms from the official image seems counterproductive to me, as it hinders adoption of all current and future hashes supported by dovecot that haven't been and are not going to be reimplemented by postfixadmin. With the advent of post quantum cryptography this problem is going to become even worse. Relying on dovecot's implementations seems to be a sensible option to me.

If size is important, it would probably be possible to remove unneeded files after installation of the dovecot package.

mtdcr avatar Jan 16 '25 23:01 mtdcr

@mtdcr: Thanks for your ticket about SCRAM! :)

For informations, Dovecot 2.4.0 supports SCRAM-SHA-1/SCRAM-SHA-256 and SCRAM-SHA-1-PLUS/SCRAM-SHA-256-PLUS:

  • https://dovecot.org/mailman3/archives/list/[email protected]/thread/UYNR6GBP25XEGFCS633SWPR4HXV3NSS3/
  • https://github.com/search?q=repo%3Adovecot%2Fcore+scram&type=commits

This ticket is more than SCRAM-SHA-1 :)

We can thank Dovecot contributors: @stephanbosch, @sirainen, @cmouse, @Florob.

It is linked to:

  • https://github.com/postfixadmin/postfixadmin/issues/313
  • https://github.com/scram-sasl/info/issues/1

Neustradamus avatar Jun 03 '25 10:06 Neustradamus