is always a bit... tricky. Things that they thought would be blindingly obvious is, maybe, not so much. And systems that grew organically over time can appear to the jaundiced outsider's view as a bit, um, kludgy.
Well, that's the situation I find myself in today. I'm stepping into a "new to me" machine, with all the attendant issues. Let me describe the setup, and then as the question(s). The machine is running debian (sid), with postfix 2.5.5 delivering into local maildirs, courier imap and pop, mysql 5.0.75, maia/amavis mailguard, and cyrus-sasl2.2 for authentication (some of you probably already know where this is going). It hosts 30+ domains and acts as an mx-based spam-scrubber for quite a few more. And every customer-facing part of the machine (imap, pop, web logins for maia, smtp-auth) uses a patched version of sasl2 to use crypted passwords, stored in mysql. The previous admin grabbed a version of sasl a couple years ago, patched it, then 'pinned' the package so that it wouldn't upgrade. He's been running off of that ever since. Well, I have the opportunity to rebuild this from scratch. I'll be moving all the services from this machine to another in the next couple of weeks, and so I have a really nice chance to clean up anything that needs cleaned, and do things the Right Way (tm). The only thing that I'm 100% stuck with is... the crypted passwords. I can't ask 400+ customers to either send me their old passwords or login to some webpage and 'reset' their passwords. And I would *really* like to use something that's native to debian (or whatever) and not have to maintain a separate package with the checkpw.c patch. What are my options? I don't have a lot of experience with dovecot (it's been a few years for me) and thus don't really know anything about its SASL implementation. Should I move away from SASL completely? Any suggestions (or requests for clarification) would be gratefully accepted. Thanks! David Bishop
signature.asc
Description: Digital signature