dovecot is setup on a system with MD5-CRYPT password scheme for all users, and I would like to update this to something that is secure, probably SSHA256-CRYPT, but I want to do this seamlessly without the users having to jump through any hoops. The users are in mySQL (managed via postfixadmin) and the mailbox record simply stores the hash in the password field. Users access their accounts though IMAP MUAs or Roundcube. How would I setup my system so that if a user logs in and still has a $1$ password (MD5-CRYPT) their password will be encoded to the new SHCEME and then the SQL row updated with the $5$ password instead? Something where they are redirected after authentication to a page that forces them to renter their password (or choose a new one) is acceptable. And, while I am here, is it worthwhile to set the -r flag to a large number (like something over 100,000 which sets takes about 0.25 seconds to do on my machine)? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Il 24/01/2017 23:29, @lbutlr ha scritto:> dovecot is setup on a system with MD5-CRYPT password scheme for all users, and I would like to update this to something that is secure, probably SSHA256-CRYPT, but I want to do this seamlessly without the users having to jump through any hoops. > > The users are in mySQL (managed via postfixadmin) and the mailbox record simply stores the hash in the password field. Users access their accounts though IMAP MUAs or Roundcube. > > How would I setup my system so that if a user logs in and still has a $1$ password (MD5-CRYPT) their password will be encoded to the new SHCEME and then the SQL row updated with the $5$ password instead? Something where they are redirected after authentication to a page that forces them to renter their password (or choose a new one) is acceptable. > > And, while I am here, is it worthwhile to set the -r flag to a large number (like something over 100,000 which sets takes about 0.25 seconds to do on my machine)? >Hi, you can convert password scheme during the login: http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes Ciao -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice
> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <alessio at skye.it> wrote: > > Il 24/01/2017 23:29, @lbutlr ha scritto: >> dovecot is setup on a system with MD5-CRYPT password scheme for all users, and I would like to update this to something that is secure, probably SSHA256-CRYPT, but I want to do this seamlessly without the users having to jump through any hoops. >> >> The users are in mySQL (managed via postfixadmin) and the mailbox record simply stores the hash in the password field. Users access their accounts though IMAP MUAs or Roundcube. >> >> How would I setup my system so that if a user logs in and still has a $1$ password (MD5-CRYPT) their password will be encoded to the new SHCEME and then the SQL row updated with the $5$ password instead? Something where they are redirected after authentication to a page that forces them to renter their password (or choose a new one) is acceptable. >> >> And, while I am here, is it worthwhile to set the -r flag to a large number (like something over 100,000 which sets takes about 0.25 seconds to do on my machine)? >> > Hi, > > you can convert password scheme during the login: > > http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemesThanks, I started to look into that and got stopped no the first step> userdb { > driver = prefetch > }If I set that and reload dovecot users cannot login. dovecot: auth: Fatal: userdb prefetch: No args are supported: /etc/dovecot/dovecot-sql.conf.ext dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 4 secs): user=<>, # 2.2.27 (c0f36b0): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.3-RELEASE-p11 i386 auth_failure_delay = 5 secs auth_mechanisms = PLAIN LOGIN default_client_limit = 4096 default_process_limit = 1024 default_vsz_limit = 768 M disable_plaintext_auth = no first_valid_uid = 89 imap_id_log = * lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> %r %m %c mail_location = maildir:~/Maildir mail_max_userip_connections = 90 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox NotJunk { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service imap-postlogin { executable = script-login /usr/local/etc/dovecot/afterlogin.sh user = $default_internal_user } ssl_cert = </usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u driver = sql } -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 2017.01.25. 10:09, Alessio Cecchi wrote:> Il 24/01/2017 23:29, @lbutlr ha scritto: >> dovecot is setup on a system with MD5-CRYPT password scheme for all >> users, and I would like to update this to something that is secure, >> probably SSHA256-CRYPT, but I want to do this seamlessly without the >> users having to jump through any hoops. >> >> The users are in mySQL (managed via postfixadmin) and the mailbox >> record simply stores the hash in the password field. Users access >> their accounts though IMAP MUAs or Roundcube. >> >> How would I setup my system so that if a user logs in and still has a >> $1$ password (MD5-CRYPT) their password will be encoded to the new >> SHCEME and then the SQL row updated with the $5$ password instead? >> Something where they are redirected after authentication to a page >> that forces them to renter their password (or choose a new one) is >> acceptable. >> >> And, while I am here, is it worthwhile to set the -r flag to a large >> number (like something over 100,000 which sets takes about 0.25 >> seconds to do on my machine)? >> > Hi, > > you can convert password scheme during the login: > > http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes > > Ciao >I've done it with nice and short pg's stored procedure. -- KSB