[Dovecot] Dovecot Migration: Retrieving/Logging POP/IMAP Passwords in Plaintext

Gilles van den Hoven support at webunity.nl
Wed Mar 5 13:59:19 UTC 2014 

Traiano Welcome <traiano <at> gmail.com> writes:

> 
> Hi List
> 
> I'm currently in the process of migrating my dovecot imap/pop users to a
> new server and have to extract their passwords in order to import them 
into
> the new system (different password encryption schemes).
> 
> I've tried enabling auth_* debug parameters in my dovecot.conf in the hope
> that this would result in logging plaintext passwords to the dovecot log.
> However dovecot does not log the passwords in plaintext under any 
debugging
> configuration.
> 
> My question: Is there any other configuration of dovecot that would allow
> me to capture POP/IMAP passwords at a successful login time?
> 
> Dovecot version:  1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
> 
> The output of dovecot -n is:
> 
> ---
> # 1.0.7: /etc/dovecot.conf
> info_log_path: /var/log/dovecot.debug
> verbose_ssl: yes
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/libexec/dovecot/imap-login
> login_executable(imap): /usr/libexec/dovecot/imap-login
> login_executable(pop3): /usr/libexec/dovecot/pop3-login
> mail_location: mbox:~:INBOX=~/Mailbox
> mail_debug: yes
> mail_executable(default): /usr/libexec/dovecot/imap
> mail_executable(imap): /usr/libexec/dovecot/imap
> mail_executable(pop3): /usr/libexec/dovecot/pop3
> mail_plugin_dir(default): /usr/lib64/dovecot/imap
> mail_plugin_dir(imap): /usr/lib64/dovecot/imap
> mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
> auth default:
>   mechanisms: plain login
>   verbose: yes
>   debug: yes
>   debug_passwords: yes
>   passdb:
>     driver: pam
>   userdb:
>     driver: passwd
>   socket:
>     type: listen
>     client:
>       path: /var/run/dovecot/auth-client
>       mode: 438
> ---
> 
> My dovecot.conf is as follows:
> 
> ------
> info_log_path = /var/log/dovecot.debug
> verbose_ssl = yes
> mail_location = mbox:~:INBOX=~/Mailbox
> mail_debug = yes
> protocol imap {
> }
> protocol pop3 {
> }
> protocol lda {
>   postmaster_address = postmaster <at> example.com
> }
> auth_verbose = yes
> auth_debug = yes
> auth_debug_passwords = yes
> auth default {
>   mechanisms = plain login
>   passdb pam {
>   }
>   userdb passwd {
>   }
>   user = root
>   socket listen {
>     client {
>       path = /var/run/dovecot/auth-client
>       mode = 0666
>     }
>   }
> }
> dict {
> }
> plugin {
> }
> ---
> 
> Many thanks in advance!
> Traiano
> 
> 

Yes this is possible, i did it today for my own server which was also 
running dovecot 1.x. I hope i got all steps; but if not this should get you 
a head start in the right direction.

requires SQL and prefetching; largely based on a lot of googling, trying and 
this page; http://wiki1.dovecot.org/UserDatabase/Prefetch

Steps to implement (based on SQL login);

1) Change MySQL 'user' query (all fields that are needed for LDA)
note: adjust query to match your own fields/query
user_query = SELECT home, uid, gid FROM mail_users WHERE address = '%u' AND 
active = '1'

2) Change MySQL 'password' query (prepend all 'user info' fields with 
userdb_)
note: adjust query to match your own fields/query
password_query = SELECT <...>, '%w' as userdb_plain_pass FROM mail_users 
WHERE address = '%u' AND active = '1'

3) Add new executables for imap and pop3 login;
vi /usr/local/sbin/pop3.sh

add this:
#!/bin/sh
echo "UPDATE mail_users SET modified=now(), type='pop3', 
plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql --host=<host> --
user=<usr> --password=<pass> <dbname>
exec /usr/lib/dovecot/pop3 "$@"

vi /usr/local/sbin/imap.sh

add this:
#!/bin/sh
echo "UPDATE mail_users SET modified=now(), type='pop3', 
plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql --host=<host> --
user=<usr> --password=<pass> <dbname>
exec /usr/lib/dovecot/imap "$@"

Chmod +x them and make sure both the query as the "/usr/lib/dovecot/<exec>" 
matches your environment.

4) In dovecot.conf; change executables for imap and pop3 login to point to 
new bash scripts
protocol pop3 {
  ...
  mail_executable = /usr/local/sbin/pop3.sh
  ...
}

protocol imap {
  ...
  mail_executable = /usr/local/sbin/imap.sh
  ...
}


5) Still in dovecot.conf add:
userdb {
  driver = prefetch
}

6) restart dovecot, done.
/etc/init.d/dovecot restart

Regards,
Gilles

More information about the dovecot mailing list