I know I'm "Johnny-come-lately" on this topic, but I can explain the results
you're seeing and have seen the same myself:
The QMT vpopmail default setup saves the hashed password, as well as the first
16-characters of the clear-text password, in the MySQL database. That has
already been established. What you probably don't know (or didn't think of) is
how those fields are used!
Consider the following:
- First, the length of the hashing algorithm is a fixed length. Different
hashes, different lengths (for example: MD5 hashes are always 32 characters,
SHA1 hashes have 40 characters, sha512 hashes 128, and so on...)
- Second, ONLY the hashed password is used for validation. There is no NEED for the
cleartext password in the database, it's there simply because the MySQL database was
considered somewhat secure, and the original developers of the QMT realized that about
40% of user problems are caused by NOT KNOWING THEIR PASSWORDS, and being able to GIVE
them their existing password was generally easier than resetting it (and hearing
complaints that, although you "fixed" their desktop mail, now their phone's
weren't getting email!)
- Finally, the original designers of QMT assumed people would use long passwords -- it
was suggested in the original documentation. Thus, saving only the first 16 characters of
the password in cleartext meant you were only REALLY saving a "password hint"
vs. the entire password.
So - when you enter a 75 character password (only slightly absurd these days), and if we assume a
sha1 password hash, then the "set password" function hashes your 75 characters into a
40-character SHA1 hash and saves it into the database field that stores up to (magically) 40
characters. (FWIW: when you enter your 2-character password of "ok", the sha1 algorithm
ALSO generates a 40 character output!). After is stores the hashed password, it ALSO stores the
first 16 characters of the cleartext password -- because that's the length of the field in the
database.
When you try to authenticate, the password you provided is re-hashed
(regardless of its length -- although usually those fields have 64, 72, or 128
character field limits - depending on the web-page designer/programmer), and
those 40 characters (the output of the sha1 hash) are compared to your stored
hash... there is no query of the cleartext password.
Unfortunately, when you attempt to restore your passwords using just the stored
cleartext passwords, you will find (not surprisingly) that passwords that were
longer than the 16 chars generate a totally different hash result! (Interesting
side-note: you could have told your users that their passwords were unchanged,
but that they had to stop after the 16th character -- and it would have worked!)
I hope this explains a few things!!
Dan
IT4SOHO, LLC
33 4th St N; STE 211
St. Petersburg, FL 33701
+1-877-IT4SOHO
+1-877-484-7646
For service requests, direct your email to serv...@it4soho.com
-----Original Message-----
From: Eric Broch <ebr...@whitehorsetc.com>
Sent: Friday, September 28, 2018 1:35 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: Fwd: Re: [qmailtoaster] centos 6
Thanks, Andy. Plain text password have been a part of qt for as long as I've
been using it. I understand you're concern. I'm not sure about the password
length issue, I don't remember ever changing (patching) vpopmail like that, but
I'll look into it.
On 9/27/2018 11:28 PM, Andrew Swartz wrote:
I recently did the backup/restore and I have one hiccup to report.
A few of the account passwords did not work after backup from centos5
and restore to centos7.
Took some time to troubleshoot, but I poked around in the vpopmail
database and figured it out. It was due to the vpopmail database
schema, which stores a 16 character password AND its hash. It allowed
[and worked with] passwords longer than 16 characters (I'm unsure how).
But after the backup/restore, all passwords longer than 16 characters
failed. Problem was fixed by resetting all of these passwords to new
ones with the proper length. Luckily there were not many like this.
But for a large system, this could be a major pain.
This seems like a bug. If the max password length is 16 characters,
then the set-password webpage should reject passwords that are too long.
Also, I'm not sure why it stores a plaintext password in addition to
its hash. The modern standard is to store only the hash. This is
potentially a major security problem.
-Andy
On 9/27/2018 8:57 PM, Tony White wrote:
Eric,
I now have a working v6 COS qmt, thank you for you help an patience.
Now the backup and restore...
best wishes
Tony White
On 28/09/18 14:43, Eric Broch wrote:
changed now
On 9/27/2018 10:41 PM, Tony White wrote:
Eric,
Yes I did run that command.
At stage 3 after manually starting qmail at the end of qt-install.
Stage 3
rpm -Uvh
ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/6/current/x86_64/qmt
-release-1-5.qt.el6.noarch.rpm
needs to be
rpm -Uvh
ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/6/current/x86_64/qmt
-release-1-6.qt.el6.noarch.rpm
best wishes
Tony White
.----------------. .----------------. .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____ ____ | || | ______ | || | _______ | |
| | |_ _||_ _| | || | .' ___ | | || | / ___ | | |
| | \ \ / / | || | / .' \_| | || | | (__ \_| | |
| | \ \/ / | || | | | | || | '.___`-. | |
| | _| |_ | || | \ `.___.'\ | || | |`\____) | | |
| | |______| | || | `._____.' | || | |_______.' | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |
'----------------' '----------------' '----------------'
http://www.ycs.com.au
4 The Crescent
Yea
Victoria
Australia 3717
Telephone No's
VIC : 0418 515 717
Please note: YCS records all calls to better serve you.
IMPORTANT NOTICE
This communication including any file attachments is intended
solely for the use of the individual or entity to whom it is
addressed. If you are not the intended recipient, or the person
responsible for delivering this communication to the intended
recipient, please immediately notify the sender by email and delete
the original transmission and its contents. Any unauthorised use,
dissemination, forwarding, printing or copying of this communication including
file attachments is prohibited.
It is your responsibility to scan this communication including any
file attachments for viruses and other defects. To the extent
permitted by law, Yea Computing Services and its associates will
not be liable for any loss or damage arising in any way from this
communication including any file attachments.
You may not disclose this information to a third party without
written permission from the Author.
On 28/09/18 14:14, Eric Broch wrote:
Excellent!!! Glad to hear it.
On 9/27/2018 10:03 PM, Tony White wrote:
Eric,
Sorry I did not intend to email offlist.
I did a reply to sender not the list.
Apologies.
I have reset the VM to give me a blank minimal install again.
It has just finished qt-bootstrp-2 without error.
So far so good.
cheers.
On 28/09/18 13:53, Eric Broch wrote:
Tony, If you communicate off list you must whitelist my address
Tony,
I think (not sure why) you're still using the wrong bootstrap
scripts, my bootstrap's (below in red and green) do not use
'mirrors.qmailtoaster.com' but 'mirror2.qmailtoaster.com'
Irritatingly, this is because all the mirror maintainers dropped
the ball and didn't bother to let anyone know that they weren't
supporting QMT anymore. If this is a pre-existing machine
disable the qmailtoaster-current repo:
# yum install yum-utils && yum-config-manager --disable
qmailtoaster-current qmailtoaster-current-nodist
<qt-bootstrap-1>
#!/bin/bash
# Copyright (C) Eric Shubert <e...@datamatters.us> # # script to
do initial bootstrap processing (disable selinux, update
everything)
################################################################
######
# Change Log
# 12/26/13 written by Eric 'shubes' <e...@shubes.net>
################################################################
######
################################################################
######
# disable SELINUX
#
a2_disable_selinux(){
selinux_config=/etc/selinux/config
if [ ! -f "$selinux_config" ]; then
echo "$me - $seclinux_config not found"
exit 1
fi
echo "$me - disabling SELINUX ..."
sed -i$(date +%Y%m%d) -e "s|^SELINUX=.*$|SELINUX=disabled|"
$selinux_config
}
################################################################
######
# main routine begins here
#
me=${0##*/}
myver=v1.0
echo "$me - $myversion"
a2_disable_selinux
echo "$me - updating all packages (yum update) ..."
yum clean all
yum -y --nogpgcheck update
echo "$me - rebooting now..."
shutdown -r now
echo "$me - completed"
exit 0
</qt-bootstrap-1>
<qt-bootstrap-2>
#!/bin/bash
# Copyright (C) Eric Shubert <e...@datamatters.us> # # script to
do secondary bootstrap processing (install yum priorities, QMT
repo)
################################################################
######
# Change Log
# 12/26/13 written by Eric 'shubes' <e...@shubes.net>
################################################################
######
################################################################
######
# main routine begins here
#
me=${0##*/}
myver=v1.0
echo "$me - $myversion"
# install yum-priorities
echo "$me - installing yum-priorities (plugin) ..."
yum -y install yum-priorities
# install qmailtoaster-release
qmt_release_pkg=qmailtoaster-release-2.0-2.qt.nodist.noarch.rpm
echo "$me - installing $qmt_release_pkg (repo) ..."
rpm -ivh
http://mirror2.qmailtoaster.com/current/nodist/$qmt_release_pkg
# install qmailtoaster-util (scripts) echo "$me - installing
qmailtoaster-util (scripts) ..."
yum -y install --nogpgcheck qmailtoaster-util
echo "$me - completed"
exit 0
</qt-bootstrap-2>
On 9/27/2018 8:50 PM, Tony White wrote:
Eric,
Step one failed on .org...
[root@cos6-10-base ~]# curl
https://www.qmailtoaster.org/qt-bootstrap-1 >qt-bootstrap-1 &&
curl https://www.qmailtoaster.org/qt-bootstrap-2
qt-bootstrap-2
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
105 1050 105 1050 0 0 931 0 0:00:01 0:00:01
--:--:-- 4133
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
100 1004 100 1004 0 0 890 0 0:00:01 0:00:01
--:--:-- 3968
[root@cos6-10-base ~]# chmod 755 qt-bootstrap-*
[root@cos6-10-base ~]# ./qt-bootstrap-1
qt-bootstrap-1 -
qt-bootstrap-1 - disabling SELINUX ...
qt-bootstrap-1 - updating all packages (yum update) ...
Loaded plugins: fastestmirror, priorities Cleaning repos: base
extras qmailtoaster-current qmailtoaster-current-nodist updates
Cleaning up Everything Cleaning up list of fastest mirrors
Loaded plugins: fastestmirror, priorities Setting up Update
Process Determining fastest mirrors Could not retrieve
mirrorlist
http://mirrors.qmailtoaster.com/current/CentOS/mirror.list
error was
14: PYCURL ERROR 51 - "SSL: certificate subject name
'whitehorsetc.com' does not match target host name
'mirrors.qmailtoaster.com'"
Error: Cannot find a valid baseurl for repo:
qmailtoaster-current
qt-bootstrap-1 - rebooting now...
qt-bootstrap-1 - completed
[root@cos6-10-base ~]#
Broadcast message from root@cos6-10-base
(/dev/pts/0) at 12:49 ...
The system is going down for reboot NOW!
best wishes
Tony White
On 28/09/18 12:37, Eric Broch wrote:
Tony,
It is working, but...
I can tell by the download of
'qmailtoaster-release-2.0-1.qt.nodist.noarch.rpm' and the use
of 'mirrors.qmailtoaster.com' in the scripts that you're not
following the correct instructions.
I'm not sure whether the qmailtoaster.com website (mirrored)
has completely propagated or not.
Go to qmailtoaster.org and follow the instructions there.
Eric
On 9/27/2018 7:56 PM, Tony White wrote:
Hi Eric,
Sadly it is still not working...
The download of the
http://mirrors.qmailtoaster.com/current/nodist/qmailtoaster-r
elease-2.0-1.qt.nodist.noarch.rpm file will always fail due
to it kicking the connection up to https and not leaving it
as http.
Screen Dump...
--------------------------
[root@cos6-10-base ~]# sh qt-bootstrap-2
qt-bootstrap-2 -
qt-bootstrap-2 - installing yum-priorities (plugin) ...
Loaded plugins: fastestmirror Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.mirror.digitalpacific.com.au
* extras: centos.mirror.digitalpacific.com.au
* updates: mirror.as24220.net Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.30-42.el6_10
will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================
==================================================
Package Arch Version
Repository Size
=============================================================
==================================================
Installing:
yum-plugin-priorities noarch
1.1.30-42.el6_10 updates 28 k
Transaction Summary
=============================================================
==================================================
Install 1 Package(s)
Total download size: 28 k
Installed size: 28 k
Downloading Packages:
yum-plugin-priorities-1.1.30-42.el6_10.noarch.rpm
| 28 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing :
yum-plugin-priorities-1.1.30-42.el6_10.noarch
1/1
Verifying :
yum-plugin-priorities-1.1.30-42.el6_10.noarch
1/1
Installed:
yum-plugin-priorities.noarch
0:1.1.30-42.el6_10
Complete!
qt-bootstrap-2 - installing
qmailtoaster-release-2.0-1.qt.nodist.noarch.rpm (repo) ...
Retrieving
http://mirrors.qmailtoaster.com/current/nodist/qmailtoaster-r
elease-2.0-1.qt.nodist.noarch.rpm
curl: (51) SSL: certificate subject name 'monk13.stakehouse.io'
does not match target host name 'mirrors.qmailtoaster.com'
error: skipping
http://mirrors.qmailtoaster.com/current/nodist/qmailtoaster-r
elease-2.0-1.qt.nodist.noarch.rpm
- transfer failed
qt-bootstrap-2 - installing qmailtoaster-util (scripts) ...
Loaded plugins: fastestmirror, priorities Setting up Install
Process Loading mirror speeds from cached hostfile
* base: centos.mirror.digitalpacific.com.au
* extras: centos.mirror.digitalpacific.com.au
* updates: mirror.as24220.net No package qmailtoaster-util
available.
Error: Nothing to do
qt-bootstrap-2 - completed
best wishes
Tony White
On 27/09/18 10:24, Eric Broch wrote:
List,
There were problems with the installation of QMT on CentOS 6
as you'all well know since I tested last November (2017).
The problems existed primarily due to mirrors not being
maintained. I've fixed these problems...hopefully. If anyone
has issue please let me know so that they can be fixed.
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
