Dovecot security questions

[xy16644]

Hello

I'm busy planning and designing a new email server. I'll be using Dovecot for the first time and I have some questions. I have read the Dovecot website but I am still unsure about a few things. When I configure Dovecot I want to set it up in a secure way. The key here is security. I was thinking of using the following:

• Password database = MySQL (this is where the users passwords will live)
• Password Scheme = BLF-CRYPT (this is the way the users passwords will be encrypted in the database)
• Non-plaintext authentication = CRAM-MD5 (this is the authentication type used between the client and server)

My question is, can I store the users' passwords with BLF-CRYPT in MySQL and use CRAM-MD5 for the non-plaintext authentication? Is this a possible combination? I know CRAM-MD5 isn't the most secure authentication method but it works with most email clients and is better than using PLAIN (clear text) authentication. I will be using TLS/SSL with IMAP and SMTP but my reason for wanting to use CRAM-MD5 as well is that I am concerned with DPI firewalls and/or SSL proxies reading my login credentials (hence the decision to use a non-plaintext authentication method).

Thanks!

 

[xy16644]

Leading on from my above post, how does one add virtual Dovecot users to the MySQL database using Blowfish?

I managed to find an article that uses SHA512 as follows:

INSERT INTO `mailserver`.`virtual_users`
  (`id`, `domain_id`, `password` , `email`)
VALUES
  ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'),
  ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');

What would I need to change in the above SQL script to use Blowfish? I know Blowfish passwords start with $2a$ but I'm not sure what else needs to be changed in the SQL script? I assume SUBSTRING(SHA(RAND()) needs to change to something else to use Blowfish? I've googled this like crazy and just can't seem to find the answer!