[Dovecot] How to manually generate a password hash

Sun Apr 14 13:24:38 EEST 2013

On 4/13/2013 7:10 PM, David Murphy wrote:
> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
>
> What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
>
> My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
>
>    sudo doveadm pw -s 'MD5-CRYPT'
>
> but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
>
> So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated.
>
> -Dave
>   		 	   		
>

1) If your passwords are of the format $1$..., then they are in standard 
crypt md5 format.  They are salted.  The salt is between the second and 
third $ and the actual hash follows the third $.

2) The version of Dovecot you are running has several bugs in "doveadm 
pw" that you might be encountering.  This will prevent you from 
verifying the hashes.  Some of these have been fixed in the current release.

Try the following command.  This should give you a "verified" response 
on a patched version of doveadm.  (NOTE this command is all on one line, 
but may wrap in the email).

doveadm pw -s MD5-CRYPT -p abc123 -t '$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1'

It should reply:

$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)

Or possibly (depending on the version of dovecot you run):

{MD5-CRYPT}$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)

If you do not get one of the above responses to the test, you should 
upgrade, since your doveadm is broken.

To test your hashes, use the above command format substituting your 
password after -p and your hash after -t.  This is only if your hashes 
begin with $1$..., however.  If they do not, then they are not in crypt 
md5 format and you will need to figure out what format they are.

Once again, however, you need to be running at least 2.1.17, I believe, 
or maybe a recent release of 2.2 that has the doveadm patches.

Dem