Advice of security point of view for doveadm and doveconf and sh usage

[osevan]

Last day I investigated php-fpm and especially postfixadmin strace file with some cool information behind the doors.

Postfixadmin needs for login inside database for password 3 additionally binarys - in my point of view too many -, because for php container hardening we MUST add these binarys as dependency inside high security container and these are security risks especially sh binary.

Can you figure out how to hash and dehash directly inside php universe itself without invoke sh, doveadm and doveconf?

I mean here exactly pure php solution clean one, without any additionaly binarys involved in this hashing and dehashing phase.

Thanks and

Best regards.

[DavidGoodwin]

The dependency has been (almost) removed in the master branch of postfixadmin - https://github.com/postfixadmin/postfixadmin/blob/9620056277d09cf7a0e833f60dadc361208d4121/DOCUMENTS/HASHING.md

You don't have to use doveadm for your password hashing.

[osevan]

Thank you very much for info.
So php_crypt doesn't support argon2i natively I see.

Maybe in future.

Good luck