Otdfbt

Why can't we play rap on piano?

Paid for article while in US on F-1 visa?

LWC SFDX source push error TypeError: LWC1009: decl.moveTo is not a function

What would happen to a modern skyscraper if it rains micro blackholes?

Languages that we cannot (dis)prove to be Context-Free

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

How to format long polynomial?

How does quantile regression compare to logistic regression with the variable split at the quantile?

Character reincarnated...as a snail

meaning of に in 本当に?

Which country benefited the most from UN Security Council vetoes?

Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image?

"You are your self first supporter", a more proper way to say it

tikz convert color string to hex value

Alternative to sending password over mail?

What does "Puller Prush Person" mean?

Can a Cauchy sequence converge for one metric while not converging for another?

Why doesn't H₄O²⁺ exist?

What typically incentivizes a professor to change jobs to a lower ranking university?

What is the word for reserving something for yourself before others do?

Is it legal for company to use my work email to pretend I still work there?

Do I have a twin with permutated remainders?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

What's the point of deactivating Num Lock on login screens?

Dovecot Private User Login

postfix/dovecot filter who can send mail on behalf ofOur security auditor is an idiot. How do I give him the information he wants?Allow either password or private key SSH authenticationTrouble with case-sensitive LDAP user logins to DovecotSendmail dropping domain name from the usernameDovecot: autocreate public mailboxes?Postfix (virtual users) + dovecot + sieve: envelop does not contain original recipientIMAP/POP3 with Dovecot & Postfix: Authentication FailedSupporting both PLAIN (LDAP backend) and Kerberos/GSSAPI authentication with dovecotdovecot cannot lookup user in LDAPDovecot IMAP authenticating proxy using Kerberos/GSSAPI

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:

Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6

This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.

If it is possible, please give instructions on how to accomplish this task.

security dovecot login

share|improve this question

edited 18 hours ago

Sosukodo

asked Apr 3 at 2:11

SosukodoSosukodo

1063

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
  
  – anx
  Apr 3 at 2:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  And anyone who can steal your password can also steal your username. I see no point to this at all.
  
  – Michael Hampton♦
  Apr 3 at 4:17
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
  
  – HBruijn
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
  
  – Sosukodo
  18 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
  
  – Sosukodo
  18 hours ago
  

  
  
  
  

 | 
show 2 more comments

0

Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:

Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6

This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.

If it is possible, please give instructions on how to accomplish this task.

security dovecot login

share|improve this question

edited 18 hours ago

Sosukodo

asked Apr 3 at 2:11

SosukodoSosukodo

1063

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
  
  – anx
  Apr 3 at 2:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  And anyone who can steal your password can also steal your username. I see no point to this at all.
  
  – Michael Hampton♦
  Apr 3 at 4:17
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
  
  – HBruijn
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
  
  – Sosukodo
  18 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
  
  – Sosukodo
  18 hours ago
  

  
  
  
  

 | 
show 2 more comments

Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:

Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6

This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.

If it is possible, please give instructions on how to accomplish this task.

security dovecot login

share|improve this question

edited 18 hours ago

Sosukodo

asked Apr 3 at 2:11

SosukodoSosukodo

1063

Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6

share|improve this question

edited 18 hours ago

Sosukodo

asked Apr 3 at 2:11

SosukodoSosukodo

1063

share|improve this question

edited 18 hours ago

Sosukodo

asked Apr 3 at 2:11

SosukodoSosukodo

1063

asked Apr 3 at 2:11

SosukodoSosukodo

1063

asked Apr 3 at 2:11

SosukodoSosukodo

1063

1 Answer
1

active

oldest

votes

1

The answer is either avoid doing that or most of the configuration change is in your MTA.

1. Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.




2. Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option header_checks) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.



3. 
   

   If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.

   
   
   

   Assuming you use postfix, keep the login@domain.example format and already have reject_authenticated_senderlogin_mismatch in your smtpd_sender_restrictions, you just need to change or add sender_login_maps (to define who can send from which email) and virtual_alias_maps (to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.

   
   

share|improve this answer

answered 14 hours ago

anxanx

1,9231821

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961222%2fdovecot-private-user-login%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

The answer is either avoid doing that or most of the configuration change is in your MTA.

1. Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.




2. Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option header_checks) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.



3. 
   

   If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.

   
   
   

   Assuming you use postfix, keep the login@domain.example format and already have reject_authenticated_senderlogin_mismatch in your smtpd_sender_restrictions, you just need to change or add sender_login_maps (to define who can send from which email) and virtual_alias_maps (to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.

   
   

share|improve this answer

answered 14 hours ago

anxanx

1,9231821

add a comment | 

1

The answer is either avoid doing that or most of the configuration change is in your MTA.

1. Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.




2. Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option header_checks) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.



3. 
   

   If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.

   
   
   

   Assuming you use postfix, keep the login@domain.example format and already have reject_authenticated_senderlogin_mismatch in your smtpd_sender_restrictions, you just need to change or add sender_login_maps (to define who can send from which email) and virtual_alias_maps (to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.

   
   

share|improve this answer

answered 14 hours ago

anxanx

1,9231821

add a comment | 

The answer is either avoid doing that or most of the configuration change is in your MTA.

1. Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.




2. Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option header_checks) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.



3. 
   

   If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.

   
   
   

   Assuming you use postfix, keep the login@domain.example format and already have reject_authenticated_senderlogin_mismatch in your smtpd_sender_restrictions, you just need to change or add sender_login_maps (to define who can send from which email) and virtual_alias_maps (to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.

   
   

share|improve this answer

answered 14 hours ago

anxanx

1,9231821

share|improve this answer

answered 14 hours ago

anxanx

1,9231821

answered 14 hours ago

anxanx

1,9231821

answered 14 hours ago

anxanx

1,9231821