# postfix saslpass.db shows my password

## nordic bro

sorry if I'm being a tard but when I do "postmap hash:/etc/postfix/saslpass" and open the resulting salspass.db binary file in emacs, my password's sitting there plain as day at the end of the file - I thought the db file was some kind of protection for concealing my pw but it's not?  or I'm using the command wrong?  I guess I don't get the point of postfix not just using the text /etc/postfix/saslpass if saslpass.db isn't doing anything to protect my pw.

thanks.

----------

## nordic bro

I'm pretty sure all the gentoo/postfix wikis and whatnot for setting it up say use "postmap hash:/etc/postfix/saslpass" or "postmap /etc/postfix/saslpass" so do other ppl see their password in the db file?  even just doing "cat saslpass.db" the user/pw is plainly visible in the terminal so I'm wondering if there's something wrong with something in my system or if I'm just doing it wrong?

I realize the files are root 600 but it's mostly the off-disc backups I'm thinking about; I was going to delete /etc/postfix/saslpass presuming the db version had it scrambled which is when I found out mine wasn't but don't know if it should be.  it's postfix-2.7.4 if it matters.

----------

## cach0rr0

a postmapped file is not in any way concealed

in fact i dont think that's what you want to do, assuming this is for the purpose of doing sasl authentication against an sasl database. 

You *can* auth against a hash table, but among the pitfalls is the one you're mentioning now.

What you want to use, rather, is "saslpasswd2"

It's still not encrypted in any form, but it is at least partially obfuscated. if you run 'strings' over the sasl database, youll see the pass. The purpose of storing it such a place isn't encryption/obfuscation, but rather efficiency for long/large lists. 

There are backends that support encryption natively, such as mysql or even shadow, but hash tables, sasldb's, those are not it.

----------

