Funkadelic Kuew - 2013-11-28

I've got another project on my plate that involves PFA, so I'm back again!

I needed a way to have users authenticate via doveadm auth from within PHP, and I've found that so long as the machine you're operating on has dovecot installed and its auth backend configured you can do something like echo P@ssw0rd | doveadm auth user@domain.com.

However, if you want to avoid exposing passwords in shell commands/ps output you'll need something involving proc_open(). I've written a quick function that accomplishes this, available in this gist.

The one caveat to this in the context of PFA is that since you guys insist on creating 'meta-accounts' for admins that can't be touched by the auth backend it's not viable for validating admin logins. I'd suggest moving towards a model where the admin account is an actual email address that exists and does not have a separate password hash. It would simply your DB model as well as allow you to support much stronger [salted/iterative] password hashing methods.

That said, you could also simply split the password hashing for admins to a method internal to PHP and separate from what's used for mailbox users which would also allow for people to use doveadm-pw methods that include salts/rounds.