On 26.9.2013, at 10.01, Nicolay Vizovitin <vizovi...@gmail.com> wrote:
> I'm about to start developing authentication/password-scheme module for > Dovecot. So I would like to get some advice before actually committing to > doing things in particular way. Hope somebody will be able to help me :) > > For the record, I am currently targeting latest stable Dovecot version > 2.2.5. > > I have an SQL DB with mail users' authentication data. Passwords are stored > either encrypted via system crypt(3) or ciphered with some custom algorithm > (think something symmetrical like AES, so passwords can be decrypted into > plain form). I want to use this DB as both userdb and passdb backend. The > issue, of course, is with ciphered passwords support. > > 1) Is it feasible to just implement a new password scheme for ciphered > passwords support and still use stock passdb driver in Dovecot for SQL DB > access? Plugins can implement new password schemes. http://dovecot.org/patches/password-scheme-lmpass.c is an example, although I'm not sure if it compiles with v2.2. > So that passwords in this scheme would be treated as PLAIN (in a > sense that both cleartext and shared secret authentication methods would > work). You could do that in a slightly ugly way by setting password_generate=plain_generate(), so password_scheme_is_alias() returns TRUE for that. > 2) Provided I implement custom password scheme for ciphered passwords, what > is the best way to be capable to perform authentication against both > ciphered and encrypted passwords? Ciphered and encrypted passwords are > stored in different fields of SQL table (one of them is NULL when the other > one is set). > a) Do I define two passdb clauses with their own default_pass_scheme > (equal to my new scheme or CRYPT for encrypted passwords) and use fallback > to effectively check both of them? > b) Do I modify SQL query so that it prefixes existing password with > correct scheme (I'm not sure this will be easy enough to do)? By "ciphered" I understand you mean encrypted, and by "encrypted" you mean hashed.. Scheme prefix would work, mysql and postgresql have complex enough string manipulation functions to make this possible I think. > 3) Is it mandatory to provide password generation routine for custom > password scheme? When it will be used? doveadm pw command would use it for example. But as mentioned, you should set it to plain_generate. > 4) Maybe it's better to just implement a plugin that serves as both userdb > and passdb driver (in other words a kind of generic authentication module)? > What are advantages and disadvantages of each method - custom password > scheme + stock SQL driver VS. custom userdb and passdb driver? Fortunately, > I already have all the required credentials lookup and verification code. > So in any case the question is only in figuring out suitable Dovecot APIs > and integrating the existing code. Implementing yet another sql passdb sounds like quite a lot of work. > 7) Somewhat unrelated question: what is the best way to test IMAP (and > maybe POP3 as well) server performance and compare it to another server? > I'm interested in both login performance (the part I will influence) and > performance with many mails in mailbox. I heard imaptest is suitable for > this task. Are there any recipes or example testing scenarios you might > share? ;) There are only bad non-realistic benchmarks available currently. With imaptest you can easily test the login performance though: imaptest user=test%d.%d - select=0 clients=100
