On Mon, 2020-05-04 at 15:14 -0600, Grant Taylor wrote: > I see little benefit of an SQL database vs rules with the encrypted > (hashed) passwords (possibly salted with the usernames / email > address) > in the SpamAssassin config file. Well, save for possible ease of > administration in that SA's config file doesn't need to be updated > when > passwords are compromised. > The list of such passwords might get rather long, so using a database both makes maintenance easier, as you spotted, and also keeps a lot of junk out of the rule sets. One Perl module and one or two rules triggering it seem a lot easier to maintain than a whole heap of rules containing unreadable junk but of course ymmv unless, of course you write code to autogenerate the rules, but it still sounds like a good way to inflate the ruleset to no good purpose.
However, I've long realised that not everybody is as keen on databases as I am. > > You get points for added security by obscurity it you can stick it > > in a corner of an existing, unrelated database. > > <wince> > Yep, not really a serious suggestion. Martin
