Linking mail server with application database

Question

I have a web application running on node.js, backed by a MongoDB database which stores user data etc... I'd like to offer my users an email account, so I've set up a mail server using Postfix, dovecot, etc... My problem is that I'd like to link the two user databases. Currently I have postfix and dovecot configured to use virtual users stored in a mysql (really MariaDB) database, and this is working fine (I can access and send emails over IMAP etc...). However, I want my users to be able to use the same password for IMAP as for logging in to the web application. I'm happy to write a PHP api to create users on the mail server etc..., but my issue is how to handle passwords. As I see it, there are two options;

1. I can transmit the plain text passwords from my web application server to my mail server when a user signs up or changes password. This would then obviously be hashed on the mail server and stored in the mysql database, and hashed on the application server and stored in the MongoDB database. This feels somehow wrong to me - transmitting a plain text password in two hops like that.
2. I can transmit the hashed passwords from the application server to the mail server, and store them there without hashing again. Again, this feels pretty dodgy, as from the perspective of the mail server, it's accepting passwords and storing them in clear text.

Are there any other options to allow my users to log into both servers with the same credentials? What security issues exist with the two options I've thought of above?

Answer 1

There's also a 3rd option to consider: an authentication framework.
Instead of having separate user credentials for the database and mail server that need to be kept in sync, have a central authentication service that the database and mail servers defer to when a user attempts to authenticate. There's quite a few options to choose from, but you'll probably want to start with things your applications currently support. From what I can gather, both MongoDB and postfix support LDAP and SASL, so those would be two options to look into.

As for security issues to the methods you suggested: even if you got secure password transmission figured out, you still have to deal with synchronization. If an error occurs at an inopportune time (e.g. a user changing their password while postfix is unavailable), you'll end up with mismatched credentials on each service. It could be fixed, yes, but comparing the credentials on the two servers would involve transmitting at least some sensitive data. In a more nefarious situation, consider what would happen if credentials de-synchronized when a user was banned. They could end up retaining partial access to resources that they should have no access to at all.