It's not something I would do, but I thought others would cringe at removing them all.

On 10/3/2018 5:36 PM, Andrew Swartz wrote:
Eric,

I am missing something:  what is the utility of keeping the plaintext
passwords for any of the accounts if QMT is 100% functional without them?

I cringe when I use WebMin to click to view the vpopmail database and
literally scroll through cleartext passwords.


-Andy



On 10/3/2018 2:36 PM, Eric Broch wrote:
I guess that a couple of lines could be add to the script below to test
if the clear text password with the extracted salt match the hashed
password (see below). If so skip the user/domain entry. If not set clear
text password to 'null'

if [ $hashedpasswd != `openssl passwd -1 -salt $usersalt $userpasswd` ];
then

clear entry

fi

-EricB


On 10/3/2018 3:48 PM, Eric Broch wrote:
In the mean time, I've written a script to null the clear text pwd
field, look at it, TEST IT, add suggestions, and use at your own risk:

<clearpasswd>

IFS=$'\n'
pass=`cat pfile`
for domain in `echo "show tables" | mysql -u root -p$pass vpopmail |
grep -v dir_control | grep -v Tables_in_vpopmail | grep -v valias |
grep -v lastauth`
do
     for user in `echo "select pw_name from $domain" | mysql -u root
-p$pass vpopmail | grep -v pw_name`
     do
        clear=`echo "select pw_clear_passwd from $domain where
pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v
pw_clear_passwd`
        echo "$user:$domain:($clear)"
        # update $domain set pw_clear_passwd='' where pw_name ='$user';
        clear=`echo "select pw_clear_passwd from $domain where
pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v
pw_clear_passwd`
        echo "$user:$domain:($clear)"
        echo
"--------------------------------------------------------------------------"

     done
done

</clearpasswd>


Eric


On 10/3/2018 3:30 PM, Dan McAllister - QMT DNS wrote:
One more item -- I agree that the password hashing algorithm could
stand to be updated -- and there is NOT a backward compatibility
issue with updating our algorithms because the mechanism is CODED to
show which algorithm is used (the $1$ currently there, maybe a $6$ in
the future?)

However, we would need to check with the qmail code, as well as
DoveCot, to determine if they can support/recognize those other
algorithms.

Dan

-----Original Message-----
From: Eric Broch <ebr...@whitehorsetc.com>
Sent: Wednesday, October 3, 2018 4:34 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Passwords after backup/restore

The newer DoveCot IMAP server "appears" to be authenticating against
the cleartext password
It does. I checked the code.

I've submitted a question to the Dovecot mailing list concerning
this, that is, whether there is a configuration option to authorize
against the hash, or whether there is an option at compile or link
time to accomplish the same. It'd be nice to have a configuration
option, IMHO, that way no re-compilation would be necessary.


--
Eric Broch
White Horse Technical Consulting (WHTC)


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to