1

Topic: Password encryption using PHP

====================================
iRedMail = 1.6.0 MARIADB edition
iRedAdmin = 1.7
OD: Ubuntu  20.04 LTS
DB: Mysql/MariaDB
Web Server: Nginx
downloadable installer
Sogo Version 5.7.0
====================================

Hi,

I need some help.
I am  creading and admin page for an global address containing the company clients details,
and there will be a admin person mangagin that.

I will be creating the whole thing using PHP and want to login page to use the same encrytption
as the iredadmin.
The entire site will be writen in PHP as I am not familiar with python.

Are you able to tell be how to do this using PHP?
As an alternative I can use the PHP to run a python script to which I can pass three
parameters ( domain, email address and password) or two (emaill address and password, domain can be stripted form email address),
that can return true if the password match, false if it fails or does not  match.

I have noticed that you have created changing user password using the command prompt, have you created something similar for validating a
userid (email address) and password?

Any idea how I can do that?

Any help is appreciated.

Thanks
George

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team.

2 (edited by Cthulhu 2022-06-22 23:45:35)

Re: Password encryption using PHP

Yeah, its quite easy.

https://github.com/PHPMailer/PHPMailer

You can use this class to do an SMTP auth login useing user credentials, if the credentials were valid, instead of sending an email, you can create a sessioned login and then close the SMTP session again.


This would be the part for you:
https://github.com/PHPMailer/PHPMailer/ … check.phps

//If server supports authentication, do it (even if no encryption)
    if (is_array($e) && array_key_exists('AUTH', $e)) {
        if ($smtp->authenticate('username', 'password')) {
            echo 'Connected ok!';
        } else {
            throw new Exception('Authentication failed: ' . $smtp->getError()['error']);
        }
    }

intead of echoing okay, you can actually do the login part in your script, and instead of thowing an exception if the creds are wrong, you can just do whatever you want instead




Notes:
It uses just plain and simple SMTP auth, so if the login fails, this will be logged into the stmp.log and triggering fail2ban which could lead to ban the local IP, so you need to finetune the fail2ban filter and implement an exception that excludes your actual loginscript

Aswell, the script uses Port 25 by default, but iredmail doesnt allow auth over port 25, so you need to use port 465 AND enable TLS in the script

3

Re: Password encryption using PHP

Hi,

Thanks for that, never thought of it before.
Greatly appreciated.

Thanks again.
George