> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <ales...@skye.it> wrote: > > Il 24/01/2017 23:29, @lbutlr ha scritto: >> dovecot is setup on a system with MD5-CRYPT password scheme for all users, >> and I would like to update this to something that is secure, probably >> SSHA256-CRYPT, but I want to do this seamlessly without the users having to >> jump through any hoops. >> >> The users are in mySQL (managed via postfixadmin) and the mailbox record >> simply stores the hash in the password field. Users access their accounts >> though IMAP MUAs or Roundcube. >> >> How would I setup my system so that if a user logs in and still has a $1$ >> password (MD5-CRYPT) their password will be encoded to the new SHCEME and >> then the SQL row updated with the $5$ password instead? Something where they >> are redirected after authentication to a page that forces them to renter >> their password (or choose a new one) is acceptable. >> >> And, while I am here, is it worthwhile to set the -r flag to a large number >> (like something over 100,000 which sets takes about 0.25 seconds to do on my >> machine)? >> > Hi, > > you can convert password scheme during the login: > > http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
Thanks, I started to look into that and got stopped no the first step > userdb { > driver = prefetch > } If I set that and reload dovecot users cannot login. dovecot: auth: Fatal: userdb prefetch: No args are supported: /etc/dovecot/dovecot-sql.conf.ext dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 4 secs): user=<>, # 2.2.27 (c0f36b0): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.3-RELEASE-p11 i386 auth_failure_delay = 5 secs auth_mechanisms = PLAIN LOGIN default_client_limit = 4096 default_process_limit = 1024 default_vsz_limit = 768 M disable_plaintext_auth = no first_valid_uid = 89 imap_id_log = * lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> %r %m %c mail_location = maildir:~/Maildir mail_max_userip_connections = 90 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox NotJunk { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } service imap-postlogin { executable = script-login /usr/local/etc/dovecot/afterlogin.sh user = $default_internal_user } ssl_cert = </usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u driver = sql } -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.