Should work then if you have roundcube 1.6.x and php8.2 which is also
the
bookworm package version.
Depends on your server spec / number of users if you use argon2 over
bcrypt.
One approach might be to just migrate all users to BLF-CRYPT anyway, and
then
set the recommended dovecot member settings and selectively change a few
users
to ARGON2ID to see the impact. If you stored both hashes in the
database, this
would allow you to switch back.
If someone gained write access to the database somehow, they could
possibly
replace user's password hash with a new one, thereby allowing them
to gain access to user accounts.
Two-factor authentication of course is the way to go with roundcube,
but by default, there's nothing stopping access using the same
credentials
via IMAP/Submission without the 2FA, so roundcube 2FA isn't effective by
itself if users also have access to IMAP/Submission.
I improved things a bit by using roundcube plugins:-
mmvi/twofactor_webauthn - FIDO2/webauthn 2FA.
And: https://github.com/openSUSE/ap4rc
I modified it a bit to allow using the same username and added some
features to it: https://github.com/listerr/ap4rc/tree/last-access
Ultimately the goal is to eliminate passwords using OAUTH2 etc but not
quite
there yet.
R.
On 2023-06-24 14:54, David Mehler wrote:
Hello,
Thanks. The other utility I would be using is the Roundcube webmail
password plugin. Still trying to figure the best option.
More opinions?
Thanks.
Dave.
--
Robert Lister - email: r...@lentil.org - tel: 020 7043 7996
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
