Eric, I am missing something: what is the utility of keeping the plaintext passwords for any of the accounts if QMT is 100% functional without them?
I cringe when I use WebMin to click to view the vpopmail database and literally scroll through cleartext passwords. -Andy On 10/3/2018 2:36 PM, Eric Broch wrote: > I guess that a couple of lines could be add to the script below to test > if the clear text password with the extracted salt match the hashed > password (see below). If so skip the user/domain entry. If not set clear > text password to 'null' > > if [ $hashedpasswd != `openssl passwd -1 -salt $usersalt $userpasswd` ]; > then > > clear entry > > fi > > -EricB > > > On 10/3/2018 3:48 PM, Eric Broch wrote: >> In the mean time, I've written a script to null the clear text pwd >> field, look at it, TEST IT, add suggestions, and use at your own risk: >> >> <clearpasswd> >> >> IFS=$'\n' >> pass=`cat pfile` >> for domain in `echo "show tables" | mysql -u root -p$pass vpopmail | >> grep -v dir_control | grep -v Tables_in_vpopmail | grep -v valias | >> grep -v lastauth` >> do >> for user in `echo "select pw_name from $domain" | mysql -u root >> -p$pass vpopmail | grep -v pw_name` >> do >> clear=`echo "select pw_clear_passwd from $domain where >> pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v >> pw_clear_passwd` >> echo "$user:$domain:($clear)" >> # update $domain set pw_clear_passwd='' where pw_name ='$user'; >> clear=`echo "select pw_clear_passwd from $domain where >> pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v >> pw_clear_passwd` >> echo "$user:$domain:($clear)" >> echo >> "--------------------------------------------------------------------------" >> >> done >> done >> >> </clearpasswd> >> >> >> Eric >> >> >> On 10/3/2018 3:30 PM, Dan McAllister - QMT DNS wrote: >>> One more item -- I agree that the password hashing algorithm could >>> stand to be updated -- and there is NOT a backward compatibility >>> issue with updating our algorithms because the mechanism is CODED to >>> show which algorithm is used (the $1$ currently there, maybe a $6$ in >>> the future?) >>> >>> However, we would need to check with the qmail code, as well as >>> DoveCot, to determine if they can support/recognize those other >>> algorithms. >>> >>> Dan >>> >>> -----Original Message----- >>> From: Eric Broch <ebr...@whitehorsetc.com> >>> Sent: Wednesday, October 3, 2018 4:34 PM >>> To: firstname.lastname@example.org >>> Subject: Re: [qmailtoaster] Passwords after backup/restore >>> >>>> The newer DoveCot IMAP server "appears" to be authenticating against >>>> the cleartext password >>> It does. I checked the code. >>> >>> I've submitted a question to the Dovecot mailing list concerning >>> this, that is, whether there is a configuration option to authorize >>> against the hash, or whether there is an option at compile or link >>> time to accomplish the same. It'd be nice to have a configuration >>> option, IMHO, that way no re-compilation would be necessary. >>> >> >
Description: S/MIME Cryptographic Signature