docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon postfixadmin

Advice of security point of view for doveadm and doveconf and sh usage

Open osevan opened this issue 10 months ago • 2 comments

Last day I investigated php-fpm and especially postfixadmin strace file with some cool information behind the doors.

Postfixadmin needs for login inside database for password 3 additionally binarys - in my point of view too many -, because for php container hardening we MUST add these binarys as dependency inside high security container and these are security risks especially sh binary.

Can you figure out how to hash and dehash directly inside php universe itself without invoke sh, doveadm and doveconf?

I mean here exactly pure php solution clean one, without any additionaly binarys involved in this hashing and dehashing phase.

Thanks and

Best regards.

osevan avatar Feb 22 '25 01:02 osevan

The dependency has been (almost) removed in the master branch of postfixadmin - https://github.com/postfixadmin/postfixadmin/blob/9620056277d09cf7a0e833f60dadc361208d4121/DOCUMENTS/HASHING.md

You don't have to use doveadm for your password hashing.

DavidGoodwin avatar Feb 22 '25 09:02 DavidGoodwin

Thank you very much for info. So php_crypt doesn't support argon2i natively I see.

Maybe in future.

Good luck

osevan avatar Feb 22 '25 10:02 osevan