Security Update - weak salts for auth methods md5/sha1.salted

In opensolutions/OSS-Framework#43 it was pointed out that a typo in the authentication code meant that the md5.salted and sha1.salted password schemes didn't actually use the requested salt string but a fixed salt of "md5.salted" and "sha1.salted" respectively.

This has been corrected in this commit: https://git.io/vV5iE

A note to this effect has been added to ViMbAdmin is this commit: https://git.io/vV5ii

As a result of this, "md5.salted" and "sha1.salted" have been replaced with hyphenated versions: "md5-salted" and "sha1-salted" which will use the actual salt as requested.

For all existing ViMbAdmin installations, "md5.salted" and "sha1.salted" will continue to work but with the static salts of "md5.salted" and "sha1.salted" respectively.

One should always pick a hashing function as strong as your mail system allows. At time of writing, Dovecot ( http://wiki2.dovecot.org/Authentication/PasswordSchemes ) recommends one of BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT in descending order of strength

As such, the default version ViMbAdmin ships with in application.ini.dist is now:

defaults.mailbox.password_scheme = "dovecot:BLF-CRYPT"

While no code changes have occurred in ViMbAdmin, we've pushed a new release to mark this issue:

https://github.com/opensolutions/ViMbAdmin/releases/tag/3.0.15

NB: no code changes have actually occurred in ViMbAdmin but rather a library used by ViMbAdmin. To get the new version of the library, just run:

composer update