Dovecot Private User Loginpostfix/dovecot filter who can send mail on behalf ofOur security auditor is an idiot. How do I give him the information he wants?Allow either password or private key SSH authenticationTrouble with case-sensitive LDAP user logins to DovecotSendmail dropping domain name from the usernameDovecot: autocreate public mailboxes?Postfix (virtual users) + dovecot + sieve: envelop does not contain original recipientIMAP/POP3 with Dovecot & Postfix: Authentication FailedSupporting both PLAIN (LDAP backend) and Kerberos/GSSAPI authentication with dovecotdovecot cannot lookup user in LDAPDovecot IMAP authenticating proxy using Kerberos/GSSAPI
Why can't we play rap on piano?
Paid for article while in US on F-1 visa?
LWC SFDX source push error TypeError: LWC1009: decl.moveTo is not a function
What would happen to a modern skyscraper if it rains micro blackholes?
Languages that we cannot (dis)prove to be Context-Free
When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?
How to format long polynomial?
How does quantile regression compare to logistic regression with the variable split at the quantile?
Character reincarnated...as a snail
meaning of に in 本当に?
Which country benefited the most from UN Security Council vetoes?
Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image?
"You are your self first supporter", a more proper way to say it
tikz convert color string to hex value
Alternative to sending password over mail?
What does "Puller Prush Person" mean?
Can a Cauchy sequence converge for one metric while not converging for another?
Why doesn't H₄O²⁺ exist?
What typically incentivizes a professor to change jobs to a lower ranking university?
What is the word for reserving something for yourself before others do?
Is it legal for company to use my work email to pretend I still work there?
Do I have a twin with permutated remainders?
How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?
What's the point of deactivating Num Lock on login screens?
Dovecot Private User Login
postfix/dovecot filter who can send mail on behalf ofOur security auditor is an idiot. How do I give him the information he wants?Allow either password or private key SSH authenticationTrouble with case-sensitive LDAP user logins to DovecotSendmail dropping domain name from the usernameDovecot: autocreate public mailboxes?Postfix (virtual users) + dovecot + sieve: envelop does not contain original recipientIMAP/POP3 with Dovecot & Postfix: Authentication FailedSupporting both PLAIN (LDAP backend) and Kerberos/GSSAPI authentication with dovecotdovecot cannot lookup user in LDAPDovecot IMAP authenticating proxy using Kerberos/GSSAPI
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:
Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6
This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.
If it is possible, please give instructions on how to accomplish this task.
security dovecot login
|
show 2 more comments
Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:
Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6
This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.
If it is possible, please give instructions on how to accomplish this task.
security dovecot login
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago
|
show 2 more comments
Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:
Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6
This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.
If it is possible, please give instructions on how to accomplish this task.
security dovecot login
Is it possible to set up Dovecot in such a way that I can set up a "private" username that is associated with a public email address? For instance:
Email address : email@domain.com
Login username: ph97eWY2HvUW5jbBY3jmY6
This way, nobody would ever know what the actual username for email@domain.com is and attempts to login as email@domain.com would always fail.
If it is possible, please give instructions on how to accomplish this task.
security dovecot login
security dovecot login
edited 18 hours ago
Sosukodo
asked Apr 3 at 2:11
SosukodoSosukodo
1063
1063
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago
|
show 2 more comments
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago
|
show 2 more comments
1 Answer
1
active
oldest
votes
The answer is either avoid doing that or most of the configuration change is in your MTA.
Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.
Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option
header_checks
) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.
Assuming you use postfix, keep the login@domain.example format and already have
reject_authenticated_senderlogin_mismatch
in yoursmtpd_sender_restrictions
, you just need to change or addsender_login_maps
(to define who can send from which email) andvirtual_alias_maps
(to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961222%2fdovecot-private-user-login%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The answer is either avoid doing that or most of the configuration change is in your MTA.
Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.
Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option
header_checks
) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.
Assuming you use postfix, keep the login@domain.example format and already have
reject_authenticated_senderlogin_mismatch
in yoursmtpd_sender_restrictions
, you just need to change or addsender_login_maps
(to define who can send from which email) andvirtual_alias_maps
(to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.
add a comment |
The answer is either avoid doing that or most of the configuration change is in your MTA.
Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.
Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option
header_checks
) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.
Assuming you use postfix, keep the login@domain.example format and already have
reject_authenticated_senderlogin_mismatch
in yoursmtpd_sender_restrictions
, you just need to change or addsender_login_maps
(to define who can send from which email) andvirtual_alias_maps
(to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.
add a comment |
The answer is either avoid doing that or most of the configuration change is in your MTA.
Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.
Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option
header_checks
) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.
Assuming you use postfix, keep the login@domain.example format and already have
reject_authenticated_senderlogin_mismatch
in yoursmtpd_sender_restrictions
, you just need to change or addsender_login_maps
(to define who can send from which email) andvirtual_alias_maps
(to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.
The answer is either avoid doing that or most of the configuration change is in your MTA.
Adding complexity to the login name is worse than adding the same amount of complexity to password, so please do not add this maintenance overhead for security reasons - there is no such benefit.
Separating login names from addresses for privacy reasons is also rather ineffective, as the recipient can correlate those mappings very easily. You could, however, remove login names from mail headers (see e.g. postfix option
header_checks
) - if you are willing to spend extra effort retrieving information that could have been easily accessible in headers.If you need separate login names and usernames to deal with some legacy requirements or facilitate a migration in addresses without previously updating all clients, configuring those is almost trivial - in your MTA. Since dovecot userdb has no requirement for home directories, login names and mail addresses to match in any way, you are free to change your dovecot usernames as required.
Assuming you use postfix, keep the login@domain.example format and already have
reject_authenticated_senderlogin_mismatch
in yoursmtpd_sender_restrictions
, you just need to change or addsender_login_maps
(to define who can send from which email) andvirtual_alias_maps
(to define who receives which emails). The right hand side of those two maps then contains your dovecot user names.
answered 14 hours ago
anxanx
1,9231821
1,9231821
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961222%2fdovecot-private-user-login%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Sure possible.. but what problem does that solve? Anyone attempting to login with invalid credentials will always fail.
– anx
Apr 3 at 2:31
And anyone who can steal your password can also steal your username. I see no point to this at all.
– Michael Hampton♦
Apr 3 at 4:17
As a security measure that is not a very good one, but from a practical perspective, ; yes is very common that your login/account/user-name is different from email address(es) associated with your account.
– HBruijn
2 days ago
@HBruijn Please qualify that statement. If it's considered a security measure to keep your password secret, how could you possibly argue that it would not be more secure to have a secret username?
– Sosukodo
18 hours ago
@MichaelHampton What does stealing have anything to do with it? An intelligent person would know that the more information you can hide, the more secure your information. If a hacker knows your username, they only need to brute your password. If a hacker needs to brute your username, mathematically it will take at least twice as much effort to access the account.
– Sosukodo
18 hours ago