[Dovecot] Dovecot Migration: Retrieving/Logging POP/IMAP Passwords in Plaintext
Hi List
I'm currently in the process of migrating my dovecot imap/pop users to a new server and have to extract their passwords in order to import them into the new system (different password encryption schemes).
I've tried enabling auth_* debug parameters in my dovecot.conf in the hope that this would result in logging plaintext passwords to the dovecot log. However dovecot does not log the passwords in plaintext under any debugging configuration.
My question: Is there any other configuration of dovecot that would allow me to capture POP/IMAP passwords at a successful login time?
Dovecot version: 1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
The output of dovecot -n is:
# 1.0.7: /etc/dovecot.conf info_log_path: /var/log/dovecot.debug verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~:INBOX=~/Mailbox mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: mechanisms: plain login verbose: yes debug: yes debug_passwords: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/run/dovecot/auth-client mode: 438
My dovecot.conf is as follows:
info_log_path = /var/log/dovecot.debug verbose_ssl = yes mail_location = mbox:~:INBOX=~/Mailbox mail_debug = yes protocol imap { } protocol pop3 { } protocol lda { postmaster_address = postmaster@example.com } auth_verbose = yes auth_debug = yes auth_debug_passwords = yes auth default { mechanisms = plain login passdb pam { } userdb passwd { } user = root socket listen { client { path = /var/run/dovecot/auth-client mode = 0666 } } } dict { } plugin { }
Many thanks in advance! Traiano
On 2/27/2014 8:47 AM, Traiano Welcome <traiano@gmail.com> wrote:
Dovecot version: 1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
No other response is possible except:
UPGRADE.
1.x has been unsupported forfar too long for anyone to waste time on it.
Best regards,
Charles
Hi Charles
Thanks for your response:
On Thu, Feb 27, 2014 at 4:06 PM, Charles Marcus <CMarcus@media-brokers.com>wrote:
On 2/27/2014 8:47 AM, Traiano Welcome <traiano@gmail.com> wrote:
Dovecot version: 1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
No other response is possible except:
UPGRADE.
1.x has been unsupported forfar too long for anyone to waste time on it.
I agree. Once upgraded to a reasonably recent version, though, what configuration would I use to log plaintext passwords, then ?
Best regards,
Charles
On 2/27/2014 9:20 AM, Traiano Welcome <traiano@gmail.com> wrote:
I agree. Once upgraded to a reasonably recent version, though, what configuration would I use to log plaintext passwords, then ?
http://wiki2.dovecot.org/Logging
Scroll down to the bottom...
--
Best regards,
Charles
On Thu, Feb 27, 2014 at 4:32 PM, Charles Marcus <CMarcus@media-brokers.com>wrote:
On 2/27/2014 9:20 AM, Traiano Welcome <traiano@gmail.com> wrote:
I agree. Once upgraded to a reasonably recent version, though, what configuration would I use to log plaintext passwords, then ?
http://wiki2.dovecot.org/Logging
Scroll down to the bottom...
From the wiki:
"auth_debug_passwords=yes does everything that auth_debug=yes does, but it also removes password hiding (but only if you are not using PAM, since PAM errors aren't written to Dovecot's own logs)."
Looks like upgrading won't help either, as I'm using pam:
passdb pam { } userdb passwd { }
--
Best regards,
Charles
Traiano Welcome <traiano <at> gmail.com> writes:
Hi List
I'm currently in the process of migrating my dovecot imap/pop users to a new server and have to extract their passwords in order to import them
into
the new system (different password encryption schemes).
I've tried enabling auth_* debug parameters in my dovecot.conf in the hope that this would result in logging plaintext passwords to the dovecot log. However dovecot does not log the passwords in plaintext under any debugging configuration.
My question: Is there any other configuration of dovecot that would allow me to capture POP/IMAP passwords at a successful login time?
Dovecot version: 1.0.7 (from dovecot-1.0.7-7.el5_7.1 rpm)
The output of dovecot -n is:
# 1.0.7: /etc/dovecot.conf info_log_path: /var/log/dovecot.debug verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~:INBOX=~/Mailbox mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: mechanisms: plain login verbose: yes debug: yes debug_passwords: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/run/dovecot/auth-client mode: 438
My dovecot.conf is as follows:
info_log_path = /var/log/dovecot.debug verbose_ssl = yes mail_location = mbox:~:INBOX=~/Mailbox mail_debug = yes protocol imap { } protocol pop3 { } protocol lda { postmaster_address = postmaster <at> example.com } auth_verbose = yes auth_debug = yes auth_debug_passwords = yes auth default { mechanisms = plain login passdb pam { } userdb passwd { } user = root socket listen { client { path = /var/run/dovecot/auth-client mode = 0666 } } } dict { } plugin { }
Many thanks in advance! Traiano
Yes this is possible, i did it today for my own server which was also running dovecot 1.x. I hope i got all steps; but if not this should get you a head start in the right direction.
requires SQL and prefetching; largely based on a lot of googling, trying and this page; http://wiki1.dovecot.org/UserDatabase/Prefetch
Steps to implement (based on SQL login);
Change MySQL 'user' query (all fields that are needed for LDA) note: adjust query to match your own fields/query user_query = SELECT home, uid, gid FROM mail_users WHERE address = '%u' AND active = '1'
Change MySQL 'password' query (prepend all 'user info' fields with userdb_) note: adjust query to match your own fields/query password_query = SELECT <...>, '%w' as userdb_plain_pass FROM mail_users WHERE address = '%u' AND active = '1'
Add new executables for imap and pop3 login; vi /usr/local/sbin/pop3.sh
add this: #!/bin/sh echo "UPDATE mail_users SET modified=now(), type='pop3', plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql --host=<host> -- user=<usr> --password=<pass> <dbname> exec /usr/lib/dovecot/pop3 "$@"
vi /usr/local/sbin/imap.sh
add this: #!/bin/sh echo "UPDATE mail_users SET modified=now(), type='pop3', plainpwd='$PLAIN_PASS' WHERE address = '$USER'" | mysql --host=<host> -- user=<usr> --password=<pass> <dbname> exec /usr/lib/dovecot/imap "$@"
Chmod +x them and make sure both the query as the "/usr/lib/dovecot/<exec>" matches your environment.
- In dovecot.conf; change executables for imap and pop3 login to point to new bash scripts protocol pop3 { ... mail_executable = /usr/local/sbin/pop3.sh ... }
protocol imap { ... mail_executable = /usr/local/sbin/imap.sh ... }
Still in dovecot.conf add: userdb { driver = prefetch }
restart dovecot, done. /etc/init.d/dovecot restart
Regards, Gilles
participants (3)
-
Charles Marcus
-
Gilles van den Hoven
-
Traiano Welcome