[SECURITY] sha1.salted and md5.salted authentication method salts aren't that salty

[Barry O'Donovan]

Hi folks,

In https://github.com/opensolutions/OSS-Framework/issues/43 it was
pointed out that a typo in the authentication code meant that the
md5.salted and sha1.salted password schemes didn't actually use the
requested salt string but a fixed salt of "md5.salted" and "sha1.salted"
respectively.

This has been corrected in this commit: https://git.io/vV5iE

A note to this effect has been added to ViMbAdmin is this commit:
https://git.io/vV5ii

As a result of this, "md5.salted" and "sha1.salted" have been replaced
with hyphenated versions: "md5-salted" and "sha1-salted" which will use
the actual salt as requested.

For all existing ViMbAdmin installations, "md5.salted" and "sha1.salted"
will continue to work but with the static salts of "md5.salted" and
"sha1.salted" respectively.

One should always pick a hashing function as strong as your mail system
allows. At time of writing, Dovecot (
http://wiki2.dovecot.org/Authentication/PasswordSchemes ) recommends one
of BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT in descending order of strength

As such, the default version ViMbAdmin ships with in
application.ini.dist is now:

defaults.mailbox.password_scheme = "dovecot:BLF-CRYPT"

While no code changes have occurred in ViMbAdmin, we've pushed a new
release to mark this issue:

https://github.com/opensolutions/ViMbAdmin/releases/tag/3.0.15

NB: no code changes have actually occurred in ViMbAdmin but rather a
library used by ViMbAdmin. To get the new version of the library, just run:

composer update




- Barry