Moving to new password scheme

@lbutlr kremels at kreme.com
Wed Jan 25 08:59:52 UTC 2017


> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <alessio at skye.it> wrote:
> 
> Il 24/01/2017 23:29, @lbutlr ha scritto:
>> dovecot is setup on a system with MD5-CRYPT password scheme for all users, and I would like to update this to something that is secure, probably SSHA256-CRYPT, but I want to do this seamlessly without the users having to jump through any hoops.
>> 
>> The users are in mySQL (managed via postfixadmin) and the mailbox record simply stores the hash in the password field. Users access their accounts though IMAP MUAs or Roundcube.
>> 
>> How would I setup my system so that if a user logs in and still has a $1$ password (MD5-CRYPT) their password will be encoded to the new SHCEME and then the SQL row updated with the $5$ password instead? Something where they are redirected after authentication to a page that forces them to renter their password (or choose a new one) is acceptable.
>> 
>> And, while I am here, is it worthwhile to set the -r flag to a large number (like something over 100,000 which sets takes about 0.25 seconds to do on my machine)?
>> 
> Hi,
> 
> you can convert password scheme during the login:
> 
> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Thanks, I started to look into that and got stopped no the first step

>  userdb {
>   driver = prefetch
> }

If I set that and reload dovecot users cannot login.

dovecot: auth: Fatal: userdb prefetch: No args are supported: /etc/dovecot/dovecot-sql.conf.ext
dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs
dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 4 secs): user=<>,

# 2.2.27 (c0f36b0): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.3-RELEASE-p11 i386  
auth_failure_delay = 5 secs
auth_mechanisms = PLAIN LOGIN
default_client_limit = 4096
default_process_limit = 1024
default_vsz_limit = 768 M
disable_plaintext_auth = no
first_valid_uid = 89
imap_id_log = *
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_log_format_elements = user=<%u> %r %m %c
mail_location = maildir:~/Maildir
mail_max_userip_connections = 90
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox NotJunk {
    auto = subscribe
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}
service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service imap-postlogin {
  executable = script-login /usr/local/etc/dovecot/afterlogin.sh
  user = $default_internal_user
}
ssl_cert = </usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
ssl_key =  # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3

userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u
  driver = sql
}

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



More information about the dovecot mailing list