1

I have an email server setup on Debian Lenny with Postfix, Dovecot, SASL and MySQL.

Currently, the password scheme in my dovecot-sql.conf file is set to: CRYPT

default_pass_scheme = CRYPT

I would like to globally change the scheme to something stronger like SSHA, or MD5-CRYPT and re-hash all passwords with SSHA. What is the best way to do this?

The Dovecot wiki mentions how passwords that don't follow the default scheme defined in dovecot-sql.conf can be prefixed with "{ssha}password", but I couldn't see anything regarding changing an already-existing scheme to a new one for all passwords that are already in the database.

Thanks for your help!

deb_lrnr
  • 43
  • 1
  • 4

1 Answers1

1

I'm not entirely sure dovecot alone can manage this. Since the existing passwords are crypted, you can't simply convert them to a different format since you have no idea what the password is. If you have a password expiration/change mechanism then you should be able to update the hash at that point. If you were using PAM for authentication there's almost certainly some kind of "rehash" module that would re-hash the password to a different algorithm after successfully matching it to the old hash.

Note that the "crypt" scheme in dovecot uses the crypt() function which supports the Modular Crypt Format, meaning that it can recognize several different hash algorithms as long as they're formatted properly.

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • I actually do know the passwords. This is a personal server used for testing (learning) with 3 email accounts. One thing I am thinkig is: change the default scheme to SSHA and then change my passwords via – deb_lrnr Dec 30 '10 at 19:17
  • The new ones should be SSHA-hashed. I think anyways. Thanks for your comment! – deb_lrnr Dec 30 '10 at 19:19