From f0f8df8f40cefbfc4d676352a94dbe35cc99a0db Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Fri, 11 Apr 2025 11:57:54 +0200
Subject: modules/stalwart-mail: Explicitly list out valid password hashes

If a password hash does not match stalwart's know ones, it will just
treat it as plaintext. This is obviously very bad, and should be
avoided.
---
 modules/by-name/st/stalwart-mail/module.nix | 27 ++++++++++++++++++++++++++-
 tests/by-name/em/email-dns/test.nix         |  4 ++--
 tests/by-name/em/email-ip/test.nix          |  4 ++--
 3 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 1e39e81..ec10188 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -61,7 +61,32 @@ in {
           };
 
           secret = lib.mkOption {
-            type = lib.types.str;
+            type = let
+              prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
+            in
+              lib.types.oneOf [
+                (prefix "$argon2")
+                (prefix "$pbkdf2")
+                (prefix "$scrypt")
+                (prefix "$2") # bcrypt
+                (prefix "$6$") # sha-512
+                (prefix "$5$") # sha-256
+                (prefix "$sha1")
+                (prefix "$1") # md5
+                (prefix "_") # BSDi crypt
+                (prefix "{SHA}") # base64 sha
+                (prefix "{SSHA}") # base64 salted sha
+
+                # unix crypt
+                (prefix "{CRYPT}")
+                (prefix "{crypt}")
+
+                # Plain text
+                (prefix "{PLAIN}")
+                (prefix "{plain}")
+                (prefix "{CLEAR}")
+                (prefix "{clear}")
+              ];
             description = ''
               Sets the password for the user account.
               Passwords can be stored hashed or in plain text (not recommended).
diff --git a/tests/by-name/em/email-dns/test.nix b/tests/by-name/em/email-dns/test.nix
index 6812d32..f0399a5 100644
--- a/tests/by-name/em/email-dns/test.nix
+++ b/tests/by-name/em/email-dns/test.nix
@@ -44,7 +44,7 @@ in
         {
           class = "individual";
           name = "bob";
-          secret = "bob-password";
+          secret = "{PLAIN}bob-password";
           email = ["bob@bob.com"];
         };
 
@@ -53,7 +53,7 @@ in
         {
           class = "individual";
           name = "alice";
-          secret = "alice-password";
+          secret = "{PLAIN}alice-password";
           email = ["alice@alice.com"];
         };
 
diff --git a/tests/by-name/em/email-ip/test.nix b/tests/by-name/em/email-ip/test.nix
index 688cd8f..dabc404 100644
--- a/tests/by-name/em/email-ip/test.nix
+++ b/tests/by-name/em/email-ip/test.nix
@@ -113,13 +113,13 @@ in
               {
                 class = "individual";
                 name = "alice";
-                secret = "alice-password";
+                secret = "{PLAIN}alice-password";
                 email = ["alice@${domain}"];
               }
               {
                 class = "individual";
                 name = "bob";
-                secret = "bob-password";
+                secret = "{PLAIN}bob-password";
                 email = ["bob@${domain}"];
               }
             ];
-- 
cgit 1.4.1