I have spent the past week or so -and not an inconsiderable amount of coin- trying to build a CentOS7 server that uses Postfix, Dovecot, Spamassassin, Amavis and Roundcube so that I can finally ditch the ever-more-privacy-intrusive mail services from the likes of Gmail and Outlook. It is a madness that comes over me once every year or so. The enormous, steaming pile of disparate software pieces that have to bolted together just-so to get anything working at all has never really put me off trying… but my previous efforts, though functional, haven’t really been fully functional and never took security too seriously.
This time I got really close to doing it properly. Everything worked fine after just the seventh installation-from-scratch attempt, and six nice how-to articles ready to publish. 95% of the work had been sorted out on the first pass, I have to say -but the missing 5% was the very devil to get right. It was all to do with delivering Spam (because no spam detection algorithm is perfect), but into a junk mail folder rather than the main inbox. The tool to do that is called ‘dovecot-pigeonhole’ and the protocol involved is called ‘sieve’… and configuring sieve and dovecot in a way that actually works is a nightmare. But I did it. It worked. Spam moved all by itself to a place where I could save it if I wanted to or delete it if I didn’t.
And then I logged on with the wrong password… and Roundcube (the webmail interface) let me in regardless!
Turns out that by design and default, MySQL (and thus Dovecot and thus Roundcube) uses ‘CRYPT’ as its password encryption technology, which is based on DES, and (here’s the punchline) only uses the first 8 characters of your supplied password. So yes, I had mis-typed the 23rd character of my 26-character long password (it happens!)… but Roundcube had let me in anyway because the first 8 characters had been typed in an impeccably accurate manner.
Several things to say about this. The first one is that it’s bloody annoying! Second, it’s bloody stupid. And third, after an hour reading about how you can configure things to do SHA512-CRYPT (which doesn’t chop your passwords in thirds without telling you), I spent 45 minutes trying to implement it without success before giving up in utter frustration.
I am now using outlook.com again!
Of the 98 hurdles between me and a working, secure, web-accessible, flexible, virus-blocking, spam-delivering email server, I had managed to leap, more or less gracefully, 97 of them. But truncating passwords is too much like plain stupidity to make the effort involved in limping over the 98th just too much bother.
I wonder if there is a non-postfix, non-dovecot means of doing a mail server… I have a spare server in Paris to make use of, after all…