> On Jan 25, 2017, at 2:46 AM, Steffen Kaiser <skdove...@smail.inf.fh-brs.de> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 25 Jan 2017, @lbutlr wrote: >>> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <ales...@skye.it> wrote: >>> >>> Il 24/01/2017 23:29, @lbutlr ha scritto: >>>> dovecot is setup on a system with MD5-CRYPT password scheme for all users, >>>> and I would like to update this to something that is secure, probably >>>> SSHA256-CRYPT, but I want to do this seamlessly without the users having >>>> to jump through any hoops. >>>> >>>> The users are in mySQL (managed via postfixadmin) and the mailbox record >>>> simply stores the hash in the password field. Users access their accounts >>>> though IMAP MUAs or Roundcube. >>>> >>>> How would I setup my system so that if a user logs in and still has a $1$ >>>> password (MD5-CRYPT) their password will be encoded to the new SHCEME and >>>> then the SQL row updated with the $5$ password instead? Something where >>>> they are redirected after authentication to a page that forces them to >>>> renter their password (or choose a new one) is acceptable. >>>> >>>> And, while I am here, is it worthwhile to set the -r flag to a large >>>> number (like something over 100,000 which sets takes about 0.25 seconds to >>>> do on my machine)? >>>> >>> Hi, >>> >>> you can convert password scheme during the login: >>> >>> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes >> >> Thanks, I started to look into that and got stopped no the first step >> >>> userdb { >>> driver = prefetch >>> } >> >> If I set that and reload dovecot users cannot login. >> >> dovecot: auth: Fatal: userdb prefetch: No args are supported: >> /etc/dovecot/dovecot-sql.conf.ext >> dovecot: master: Error: service(auth): command startup failed, throttling >> for 8 secs >> dovecot: imap-login: Disconnected: Auth process broken (disconnected before >> auth was ready, waited 4 secs): user=<>, > > I don't see no prefetch in your config.
No, when I changed userdb { driver = passwd } to prefetch everything failed, so I changed it back immediately so people could login. That was the firs step on the page and I couldn’t get past it. > The error may indicate that you replaced driver = sql by driver = prefetch, > which is wrong. driver = sql is in the imap/sql section. The one I tried changing was the bare userdb declaration the just said driver - passwd. I guess I need to ADD another userdb declaration for the prefetch. Does the other int he file matter? I have local users stuff first and then the sql stuff later, but I’m not sure if that matters. > http://wiki2.dovecot.org/UserDatabase/Prefetch > > The idea described on the Wiki page is: > > During login, most often the same data is collected from the passdb as later > from the userdb, therefore you can collect *all* information you would > retrieve from userdb { } within passdb queries (that's why the home as > userdb_home, \ > uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass entries; the > prefix userdb_ indicates that data) and store it for later use by the > prefetch database. > > That's why the prefetch userdb has to preceed the other ones, because if the > passdb query filled in the values, the later userdb entries are ignored. So Place it first (or at least before all the sql stuff)? > You've noticed the '%w' as userdb_plain_pass ? That stores the plain password > (if any) to the virtual prefetch userdb entry as field plain_pass. OK. > Now, you are using two passdb's. the PAM passdb won't support this method, I > guess. No, I’m not expecting it to. the local users are mostly my admin accounts and I can just change the passwords on those manually without an issue. I’ll keep at it. Thanks. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.