> On Jan 25, 2017, at 2:46 AM, Steffen Kaiser <skdove...@smail.inf.fh-brs.de>
> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 25 Jan 2017, @lbutlr wrote:
>>> On Jan 25, 2017, at 1:09 AM, Alessio Cecchi <ales...@skye.it> wrote:
>>>
>>> Il 24/01/2017 23:29, @lbutlr ha scritto:
>>>> dovecot is setup on a system with MD5-CRYPT password scheme for all users,
>>>> and I would like to update this to something that is secure, probably
>>>> SSHA256-CRYPT, but I want to do this seamlessly without the users having
>>>> to jump through any hoops.
>>>>
>>>> The users are in mySQL (managed via postfixadmin) and the mailbox record
>>>> simply stores the hash in the password field. Users access their accounts
>>>> though IMAP MUAs or Roundcube.
>>>>
>>>> How would I setup my system so that if a user logs in and still has a $1$
>>>> password (MD5-CRYPT) their password will be encoded to the new SHCEME and
>>>> then the SQL row updated with the $5$ password instead? Something where
>>>> they are redirected after authentication to a page that forces them to
>>>> renter their password (or choose a new one) is acceptable.
>>>>
>>>> And, while I am here, is it worthwhile to set the -r flag to a large
>>>> number (like something over 100,000 which sets takes about 0.25 seconds to
>>>> do on my machine)?
>>>>
>>> Hi,
>>>
>>> you can convert password scheme during the login:
>>>
>>> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
>>
>> Thanks, I started to look into that and got stopped no the first step
>>
>>> userdb {
>>> driver = prefetch
>>> }
>>
>> If I set that and reload dovecot users cannot login.
>>
>> dovecot: auth: Fatal: userdb prefetch: No args are supported:
>> /etc/dovecot/dovecot-sql.conf.ext
>> dovecot: master: Error: service(auth): command startup failed, throttling
>> for 8 secs
>> dovecot: imap-login: Disconnected: Auth process broken (disconnected before
>> auth was ready, waited 4 secs): user=<>,
>
> I don't see no prefetch in your config.
No, when I changed userdb { driver = passwd } to prefetch everything failed, so
I changed it back immediately so people could login. That was the firs step on
the page and I couldn’t get past it.
> The error may indicate that you replaced driver = sql by driver = prefetch,
> which is wrong.
driver = sql is in the imap/sql section. The one I tried changing was the bare
userdb declaration the just said driver - passwd.
I guess I need to ADD another userdb declaration for the prefetch.
Does the other int he file matter? I have local users stuff first and then the
sql stuff later, but I’m not sure if that matters.
> http://wiki2.dovecot.org/UserDatabase/Prefetch
>
> The idea described on the Wiki page is:
>
> During login, most often the same data is collected from the passdb as later
> from the userdb, therefore you can collect *all* information you would
> retrieve from userdb { } within passdb queries (that's why the home as
> userdb_home, \
> uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass entries; the
> prefix userdb_ indicates that data) and store it for later use by the
> prefetch database.
>
> That's why the prefetch userdb has to preceed the other ones, because if the
> passdb query filled in the values, the later userdb entries are ignored.
So Place it first (or at least before all the sql stuff)?
> You've noticed the '%w' as userdb_plain_pass ? That stores the plain password
> (if any) to the virtual prefetch userdb entry as field plain_pass.
OK.
> Now, you are using two passdb's. the PAM passdb won't support this method, I
> guess.
No, I’m not expecting it to. the local users are mostly my admin accounts and I
can just change the passwords on those manually without an issue.
I’ll keep at it. Thanks.
--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
