Change password schema and post-login script
Hello,
Question #1:
For version 2.3.19.1 these commands use BLF-CRYPT, right?
doveadm pw doveadm pw -s CRYPT
Question #2:
I want to change password schema for current users.
For users using POP3 or IMAP I can do it using a post-login script.
I have some accounts used only to send e-mails using Postfix, so no POP3/IMAP logins for these accounts.
Is any way to change password schema for these accounts?
My config:
# 2.3.19.1 (9b53102964): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: FreeBSD 13.1-RELEASE-p2 amd64 zfs # Hostname: server2.example.com auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes default_process_limit = 225 disable_plaintext_auth = no first_valid_gid = 0 first_valid_uid = 1001 mail_location = maildir:/home/mail/%d/%n:INDEX=/tmpfs/dovecot_%u:CONTROL=/var/mail/%d/%n mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/passwd.master driver = passwd-file master = yes result_success = continue } passdb { args = /usr/local/etc/dovecot/passwd.suspended deny = yes driver = passwd-file } passdb { args = /usr/local/etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * quota = maildir:User quota quota_max_mail_size = 100M quota_rule = *:storage=2048M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_warning = storage=80%% quota-warning 80 %u sieve = file:~/sieve;active=~/sieve.active sieve_before = /usr/local/lib/dovecot/sieve/antispam.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { client_limit = 1125 unix_listener auth-client { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service quota-warning { executable = script /root/cretapanel/quota-warning.sh unix_listener quota-warning { mode = 0666 user = dovecot } } ssl_cert = </etc/ssl/certs/mail.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 userdb { args = /usr/local/etc/dovecot/passwd driver = passwd-file } verbose_proctitle = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = quota imap_quota imap_sieve imap_zlib } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv } protocol lda { postmaster_address = postmaster@example.com sendmail_path = /usr/sbin/sendmail } protocol lmtp { mail_plugins = quota sieve postmaster_address = postmaster@example.com }
For version 2.3.19.1 these commands use BLF-CRYPT, right? doveadm pw doveadm pw -s CRYPT
# doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5
# doveadm pw -s BLF-CRYPT Enter new password:
Question #2: I want to change password schema for current users. Is any way to change password schema for these accounts?
Not in some batch operation, you have no idea what the current password is, the point of hashing. All you can do is force people to change their passwords, and the mechanism that lets them change the password saves the new password with the new schema.
On 2022-10-22 18:00, Christos Chatzaras wrote:
Hello,
Question #1:
For version 2.3.19.1 these commands use BLF-CRYPT, right?
doveadm pw doveadm pw -s CRYPT
Question #2:
I want to change password schema for current users.
For users using POP3 or IMAP I can do it using a post-login script.
I have some accounts used only to send e-mails using Postfix, so no POP3/IMAP logins for these accounts.
Is any way to change password schema for these accounts?
My config:
# 2.3.19.1 (9b53102964): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: FreeBSD 13.1-RELEASE-p2 amd64 zfs # Hostname: server2.example.com auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes default_process_limit = 225 disable_plaintext_auth = no first_valid_gid = 0 first_valid_uid = 1001 mail_location = maildir:/home/mail/%d/%n:INDEX=/tmpfs/dovecot_%u:CONTROL=/var/mail/%d/%n mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/passwd.master driver = passwd-file master = yes result_success = continue } passdb { args = /usr/local/etc/dovecot/passwd.suspended deny = yes driver = passwd-file } passdb { args = /usr/local/etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * quota = maildir:User quota quota_max_mail_size = 100M quota_rule = *:storage=2048M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_warning = storage=80%% quota-warning 80 %u sieve = file:~/sieve;active=~/sieve.active sieve_before = /usr/local/lib/dovecot/sieve/antispam.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { client_limit = 1125 unix_listener auth-client { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service quota-warning { executable = script /root/cretapanel/quota-warning.sh unix_listener quota-warning { mode = 0666 user = dovecot } } ssl_cert = </etc/ssl/certs/mail.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 userdb { args = /usr/local/etc/dovecot/passwd driver = passwd-file } verbose_proctitle = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = quota imap_quota imap_sieve imap_zlib } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xu%08Xv } protocol lda { postmaster_address = postmaster@example.com sendmail_path = /usr/sbin/sendmail } protocol lmtp { mail_plugins = quota sieve postmaster_address = postmaster@example.com }
Hi there,
If I understood you correctly, yes you can. There is auth fallback in dovecot and you can specify it for user as well as auth queries, e.g. to full accounts including sending, you can query from the main auth and user source and remove sender only entries in such source and add in the fallback source with a tweak, thats setting a different password schema.
Refer to for more info:- https://doc.dovecot.org/configuration_manual/authentication/multiple_authent...
Also, notice that it doesnt have to be database fallback, you can set file based one, refer to:- https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
Good luck.
Zakaria.
participants (3)
-
Christos Chatzaras
-
dovecot@ptld.com
-
hi@zakaria.website