Support SCRAM-SHA-1 via dovecot-core

[mtdcr]

Hi @DavidGoodwin,

would you mind adding dovecot-core to your Docker images? This would allow me to use your images instead of building my own.

According to postfixadmin/postfixadmin#313 implementing SCRAM-SHA-* without doveadm is not planned, so installing dovecot-core by default seems sensible.

Originally posted in #49 (comment)

[DavidGoodwin]

I think this would just need adding to the two Dockerfile*.template files.
Alpine doesn't have a "dovecot-core" though - https://pkgs.alpinelinux.org/packages?name=dovecot&branch=edge&repo=&arch=x86_64&origin=&flagged=&maintainer=

Any opinions @J0WI ?

[J0WI]

doveadm is in dovecot: https://pkgs.alpinelinux.org/contents?file=doveadm&path=&name=&branch=edge&repo=&arch=

Adding dovecot* to the image just for more password hashes sounds a bit overkill, isn't it? Are those hashes widely used?

[mtdcr]

The SCRAM family adds protection against many known attacks compared to simple hashes. It's probably not as widespread, because many mail clients lack support for it. However, security-aware people may want to opt-in to these authentication mechanisms. It can be offered in parallel to weaker mechanisms if desired. I have no idea how many servers offer it as an option.

See https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism for further information.

Of course, the smaller the container image, the better. However, excluding advanced authentication mechanisms from the official image seems counterproductive to me, as it hinders adoption of all current and future hashes supported by dovecot that haven't been and are not going to be reimplemented by postfixadmin. With the advent of post quantum cryptography this problem is going to become even worse. Relying on dovecot's implementations seems to be a sensible option to me.

If size is important, it would probably be possible to remove unneeded files after installation of the dovecot package.