I have a Rails app with the Devise authentication gem running user registration and login. I want to use the db table that Devise populates when a user registers as the table that Postfix uses to authenticate users.
The table has all the fields that Postfix may want for SASL authentication except that Devise encrypts the password using Blowfish before placing it in the database.
How could I go about getting Postfix/SASL to decrypt those passwords so that the user can be authenticated properly? Devise salts the password so I'm not sure if that helps.
Any suggestions? I'd likely want to do something similar with Dovecot or Courier, I'm not attached to one quite yet.
postfix can be configured to use dovecot for SASL authentication, so you might be better off starting the other way around and figuring out if you can get Dovecot to process these hashes.
Keep in mind that hashes are designed not to be "decrypted". When someone wants to log in, the application takes the original salt, the password the user provides and recalculates the hash, if the hashes match, the password was "right".
Are these just raw hashes Devise stores in the database, or are they stored in Modular Crypt Format (starts with
$x$...
)? If they're in crypt format, Dovecot should be able to support them as long as you specifyscheme=CRYPT
. The only thing is that I don't see an MCF ID for SHA-1, only $5$ which is SHA-256 and $6$ which is -512 (both are SHA-2 family hashes).Alternatively, if Devise uses a database-accessible function to create the password (like MySQL's PASSWORD() function) then you should be able to craft a custom database query for authentication using whichever mail server's database connector, which gives you the ability to do something like
I'm not sure if this would work for you or not, but at RSA the other week there was a company there with Transparent Data Encryption for mySQL on Linux. I've never seen a good way to do this before, but these guys seem to have it.
They encrypt to disc as mySQL is writing and decrypt as the data is requested. No changes to the app or data structure at all. Company is Gazzang, site is www.gazzang.com.
Hope this helps.