dovecot - Feb 2014 - Dovecot Migration: Retrieving/Logging POP/IMAP Passwords in Plaintext

Hi List

I'm currently in the process of migrating my dovecot imap/pop users to a
new server and have to extract their passwords in order to import them into
the new system (different password encryption schemes).

I've tried enabling auth_* debug parameters in my dovecot.conf in the hope
that this would result in logging plaintext passwords to the dovecot log.
However dovecot does not log the passwords in plaintext under any debugging
configuration.

My question: Is there any other configuration of dovecot that would allow
me to capture POP/IMAP passwords at a successful login time?

Dovecot version:  1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)

The output of dovecot -n is:

---
# 1.0.7: /etc/dovecot.conf
info_log_path: /var/log/dovecot.debug
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: mbox:~:INBOX=~/Mailbox
mail_debug: yes
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
  mechanisms: plain login
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: pam
  userdb:
    driver: passwd
  socket:
    type: listen
    client:
      path: /var/run/dovecot/auth-client
      mode: 438
---

My dovecot.conf is as follows:

------
info_log_path = /var/log/dovecot.debug
verbose_ssl = yes
mail_location = mbox:~:INBOX=~/Mailbox
mail_debug = yes
protocol imap {
}
protocol pop3 {
}
protocol lda {
  postmaster_address = postmaster at example.com
}
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
  socket listen {
    client {
      path = /var/run/dovecot/auth-client
      mode = 0666
    }
  }
}
dict {
}
plugin {
}
---

Many thanks in advance!
Traiano

On 2/27/2014 8:47 AM, Traiano Welcome <traiano at gmail.com>
wrote:
> Dovecot version:  1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
No other response is possible except:

UPGRADE.

1.x has been unsupported forfar too long for anyone to waste time on it.

Best regards,

Charles

Traiano Welcome <traiano <at> gmail.com> writes:
> 
> Hi List
> 
> I'm currently in the process of migrating my dovecot imap/pop users to
a
> new server and have to extract their passwords in order to import them 
into
> the new system (different password encryption schemes).
> 
> I've tried enabling auth_* debug parameters in my dovecot.conf in the
hope
> that this would result in logging plaintext passwords to the dovecot log.
> However dovecot does not log the passwords in plaintext under any 
debugging
> configuration.
> 
> My question: Is there any other configuration of dovecot that would allow
> me to capture POP/IMAP passwords at a successful login time?
> 
> Dovecot version:  1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
> 
> The output of dovecot -n is:
> 
> ---
> # 1.0.7: /etc/dovecot.conf
> info_log_path: /var/log/dovecot.debug
> verbose_ssl: yes
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/libexec/dovecot/imap-login
> login_executable(imap): /usr/libexec/dovecot/imap-login
> login_executable(pop3): /usr/libexec/dovecot/pop3-login
> mail_location: mbox:~:INBOX=~/Mailbox
> mail_debug: yes
> mail_executable(default): /usr/libexec/dovecot/imap
> mail_executable(imap): /usr/libexec/dovecot/imap
> mail_executable(pop3): /usr/libexec/dovecot/pop3
> mail_plugin_dir(default): /usr/lib64/dovecot/imap
> mail_plugin_dir(imap): /usr/lib64/dovecot/imap
> mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
> auth default:
>   mechanisms: plain login
>   verbose: yes
>   debug: yes
>   debug_passwords: yes
>   passdb:
>     driver: pam
>   userdb:
>     driver: passwd
>   socket:
>     type: listen
>     client:
>       path: /var/run/dovecot/auth-client
>       mode: 438
> ---
> 
> My dovecot.conf is as follows:
> 
> ------
> info_log_path = /var/log/dovecot.debug
> verbose_ssl = yes
> mail_location = mbox:~:INBOX=~/Mailbox
> mail_debug = yes
> protocol imap {
> }
> protocol pop3 {
> }
> protocol lda {
>   postmaster_address = postmaster <at> example.com
> }
> auth_verbose = yes
> auth_debug = yes
> auth_debug_passwords = yes
> auth default {
>   mechanisms = plain login
>   passdb pam {
>   }
>   userdb passwd {
>   }
>   user = root
>   socket listen {
>     client {
>       path = /var/run/dovecot/auth-client
>       mode = 0666
>     }
>   }
> }
> dict {
> }
> plugin {
> }
> ---
> 
> Many thanks in advance!
> Traiano
> 
> 
Yes this is possible, i did it today for my own server which was also 
running dovecot 1.x. I hope i got all steps; but if not this should get you 
a head start in the right direction.

requires SQL and prefetching; largely based on a lot of googling, trying and 
this page; http://wiki1.dovecot.org/UserDatabase/Prefetch

Steps to implement (based on SQL login);

1) Change MySQL 'user' query (all fields that are needed for LDA)
note: adjust query to match your own fields/query
user_query = SELECT home, uid, gid FROM mail_users WHERE address = '%u'
AND
active = '1'

2) Change MySQL 'password' query (prepend all 'user info' fields
with
userdb_)
note: adjust query to match your own fields/query
password_query = SELECT <...>, '%w' as userdb_plain_pass FROM
mail_users
WHERE address = '%u' AND active = '1'

3) Add new executables for imap and pop3 login;
vi /usr/local/sbin/pop3.sh

add this:
#!/bin/sh
echo "UPDATE mail_users SET modified=now(), type='pop3', 
plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql
--host=<host> --
user=<usr> --password=<pass> <dbname>
exec /usr/lib/dovecot/pop3 "$@"

vi /usr/local/sbin/imap.sh

add this:
#!/bin/sh
echo "UPDATE mail_users SET modified=now(), type='pop3', 
plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql
--host=<host> --
user=<usr> --password=<pass> <dbname>
exec /usr/lib/dovecot/imap "$@"

Chmod +x them and make sure both the query as the
"/usr/lib/dovecot/<exec>"
matches your environment.

4) In dovecot.conf; change executables for imap and pop3 login to point to 
new bash scripts
protocol pop3 {
  ...
  mail_executable = /usr/local/sbin/pop3.sh
  ...
}

protocol imap {
  ...
  mail_executable = /usr/local/sbin/imap.sh
  ...
}


5) Still in dovecot.conf add:
userdb {
  driver = prefetch
}

6) restart dovecot, done.
/etc/init.d/dovecot restart

Regards,
Gilles