Encrypted Mailbox Passwords

[mehmetakbulut]

This pull request makes Ajenti-V store mailbox passwords with MD5 hashing instead of plaintext. Default behavior is that when a password is entered for a new account or a password is changed in the GUI, it will keep its MD5 hash instead of plaintext from now on.

Passwords stored as plaintext will remain as plaintext for compatibility, unless changed on the Mail page in Ajenti.

While recreating the courier userdb, plaintext and MD5 passwords are properly handled so plaintext passwords still work and MD5 passwords are not double-hashed.

Here you can see the mail.json where Ajenti stores all of the mail configurations. johndoe and janedoe have their passwords encrypted (as shown with md5 prefix), while hodor still has a plaintext password and they all can happily use their mailboxes.

[Ardakilic]

Thanks, this looks promising :+1:

Since I'm not a Python developer I wanted to ask: Is using bcrypt instead of md5 possible ? I would way prefer that instead.

[mehmetakbulut]

Implementing bcrypt might require installing additional applications on the server which might not be an option on all operating systems. It is not a limitation of Python but rather Courier's as Ajenti relies on Courier to store and authenticate accounts. I can see some examples of bcrypt with postfix / mysql online but this would be a departure from how Ajenti currently handles mail overall as I understand.

I actually plan on adding an option to change the encryption scheme. Available algorithm are partially limited by userdbpw.

When I have time, I want to depreciate userdbpw and use authpasswd as it allows md5, sha1 and sha256, and give the user to option to choose. This would be a drop-in replacement that requires no changes to Courier itself or Ajenti in the grand scheme of things.

[Ardakilic]

Thank you @mehmetakbulut for the detailed explaination 👍