Dovecot 1.2.15 and Convert Password Schemes

Chuck Peters cplists at axs.org
Fri Dec 11 20:23:35 UTC 2015


Can I convert the password hashes with the older Dovecot?

http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes shows how it can
potentially be done with Dovecot 2.1, but when I try it with Dovecot
1.2.15, I'm not seeing a way to make it work.  Any suggestions?

This is an old Debian 6 system that's overdue for an upgrade.  In the
test environment upgrading OpenLDAP to Debian 8 I discovered most of
our users passwords probably won't work.  The hashes appear to be a
old Unix DES based hash, ie base64 decoded ldif shows something like
the following:
userPassword:: {crypt}Aipcuzoh3eiVE

Passwords stored in the SSHA hash seem to work fine.  If given the
password, a shell script could create the hashes with slappasswd
and/or a SHA512 hash (using doveadm or mkpasswd) for use on Debian 8.


# cat /usr/local/bin/dovecot-environment.sh
#!/bin/sh
set > /tmp/dovecot-environment
exec /usr/lib/dovecot/imap "$@"

I can show the /tmp/dovecot-environment if you like, but it's not
showing the password as a variable...

This system is using Debian's Dovecot package 1.2.15-7+deb6u1.
Dovecot 2.1.7-7~bpo60+1 is available as a backport, but I would prefer
not to upgrade Dovecot on the production system if I don't need to, or
have some other reason such as some features for using IMAP for the
migration.  https://packages.debian.org/search?keywords=dovecot-common

Thanks,
Chuck

# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-686-bigmem i686 Debian 6.0.10
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s
ssl_cert_file: /etc/lfrr/ca/thishost.crt
ssl_key_file: /etc/lfrr/ca/thishost.key
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
verbose_proctitle: yes
mail_privileged_group: mail
mail_location: mbox:%h:INBOX=/var/mail/%Lu
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/local/bin/dovecot-environment.sh
mail_executable(imap): /usr/local/bin/dovecot-environment.sh
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3):
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_reuse_xuidl(default): no
pop3_reuse_xuidl(imap): no
pop3_reuse_xuidl(pop3): yes
auth default:
  mechanisms: plain login
  debug_passwords: yes
  passdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  passdb:
    driver: pam
    args: session=yes dovecot
  userdb:
    driver: passwd
    args: /etc/passwd
  userdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
plugin:
  quota: dirsize
  quota_rule: *:storage=204800


I should note, I think the default_pass_scheme = CRYPT doesn't do
anything with auth_bind = yes.

# grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf
hosts = 127.0.0.1
sasl_bind = no
auth_bind = yes
auth_bind_userdn = uid=%u,ou=People,dc=ccil,dc=org
ldap_version = 3
base = ou=People,dc=ccil,dc=org
pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = CRYPT


More information about the dovecot mailing list