Dovecot/Coverting MD5 to SSHA256 passwords: Unterschied zwischen den Versionen
< Dovecot
Zur Navigation springen
Zur Suche springen
K (x) |
K (x) |
||
Zeile 1: | Zeile 1: | ||
done in dovecot via PostLoginScript, see http://wiki2.dovecot.org/PostLoginScripting and http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes<br> | done in dovecot via PostLoginScript, see http://wiki2.dovecot.org/PostLoginScripting and http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes<br> | ||
add a new field newpw in our database<br> | add a new field newpw in our database<br> | ||
<br> | |||
<source lang="bash"> | |||
#conf.d/20-imap.conf | |||
<source lang="bash">... | ... | ||
#http://wiki2.dovecot.org/PostLoginScripting | #http://wiki2.dovecot.org/PostLoginScripting | ||
Zeile 25: | Zeile 25: | ||
unix_listener imap-postlogin { | unix_listener imap-postlogin { | ||
} | } | ||
}</source><br> | }</source><br> | ||
<br> | |||
<br> <source lang="bash"> | |||
#conf.d/20-pop3.conf | |||
... | |||
# insert these lines so dovecot uses our scripts | |||
service pop3 { | service pop3 { | ||
executable = pop3 pop3-postlogin | executable = pop3 pop3-postlogin | ||
Zeile 41: | Zeile 43: | ||
} | } | ||
} | } | ||
# end insert</source> | # end insert</source> | ||
<br> | |||
increase limit or you will get errors | |||
<source lang="bash"> | |||
#dovecot.conf | |||
default_vsz_limit = 512M</source> | |||
<br> | |||
<br> <source lang="bash"> | |||
#dovecot-sql.conf | |||
... | |||
# update your password_query so it will look at the new field | |||
# AND add a %w field in the queury so we have the plain password in our Enviroment | |||
password_query = /* dovecot-sql.conf password_query */ \ | |||
SELECT '/srv/vmail/%d/%n' AS userdb_home, 'maildir:~/Maildir' AS userdb_mail, 112 AS userdb_uid, 119 AS userdb_gid, \ | |||
CONCAT('*:bytes=', CAST(m.quota AS CHAR)) AS userdb_quota_rule, \ | |||
CONCAT(m.local_part, '@', d.name) AS user,'%w' as userdb_plain_pass, m.password AS password \ | |||
FROM mailboxes AS m LEFT JOIN domains AS d ON m.domain_id = d.id \ | |||
WHERE m.local_part = '%n' AND d.name = '%d' AND m.is_active AND d.is_active</source> | |||
<br> | |||
As of now each user which connects through POP/IMAP will convert their password to SSHA256. | |||
If you look at the database you will see for example {SSHA256}fb0e7f39c88c1d7017169f7f6b9cd6977d1e3291149382b90da4a390a31e81bab3cdced8 instead off {CRYPT}$1$.gvrgDqc$Slvoapz5zkpVmmJAxi.0k1 | |||
< | When every record is updated you can update dovecot.conf (remove the extra lines), and dovecot-sql (remove the %w-part). <br> | ||
<br> | <br> | ||
== Scripts<br> == | == Scripts<br> == | ||
/etc/dovecot/loginafter.sh<br> | /etc/dovecot/loginafter.sh<br> | ||
<source lang="bash">#!/bin/sh | <source lang="bash">#!/bin/sh | ||
/etc/dovecot/convertpw.php $USER $PLAIN_PASS | /etc/dovecot/convertpw.php $USER $PLAIN_PASS | ||
exec "$@"</source><br> | exec "$@"</source><br> | ||
<br> | <br> | ||
/etc/dovecot/convertpw.php<br> | /etc/dovecot/convertpw.php<br> | ||
<source lang="php">#!/usr/bin/php5 | <source lang="php">#!/usr/bin/php5 | ||
Zeile 132: | Zeile 156: | ||
} | } | ||
fclose($handle); | fclose($handle); | ||
exit; ?></source><br> | exit; ?></source><br> | ||
[[ | [[Category:MySQL]] [[Category:Ubuntu]] [[Category:Mail]] [[Category:Dovecot]] [[Category:PHP]] | ||
[[ | |||
[[ | |||
[[ | |||
[[ |
Version vom 3. Oktober 2012, 17:48 Uhr
done in dovecot via PostLoginScript, see http://wiki2.dovecot.org/PostLoginScripting and http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
add a new field newpw in our database
#conf.d/20-imap.conf
...
#http://wiki2.dovecot.org/PostLoginScripting
service imap {
# tell imap to do post-login lookup using a socket called "imap-postlogin"
executable = imap imap-postlogin
}
# The service name below doesn't actually matter.
service imap-postlogin {
# all post-login scripts are executed via script-login binary
executable = script-login /etc/dovecot/loginafter.sh
# the script process runs as the user specified here (v2.0.14+):
user = $default_internal_user
# this UNIX socket listener must use the same name as given to imap executable
unix_listener imap-postlogin {
}
}
#conf.d/20-pop3.conf
...
# insert these lines so dovecot uses our scripts
service pop3 {
executable = pop3 pop3-postlogin
}
service pop3-postlogin {
executable = script-login /etc/dovecot/loginafter.sh
user = $default_internal_user
unix_listener pop3-postlogin {
}
}
# end insert
increase limit or you will get errors
#dovecot.conf
default_vsz_limit = 512M
#dovecot-sql.conf
...
# update your password_query so it will look at the new field
# AND add a %w field in the queury so we have the plain password in our Enviroment
password_query = /* dovecot-sql.conf password_query */ \
SELECT '/srv/vmail/%d/%n' AS userdb_home, 'maildir:~/Maildir' AS userdb_mail, 112 AS userdb_uid, 119 AS userdb_gid, \
CONCAT('*:bytes=', CAST(m.quota AS CHAR)) AS userdb_quota_rule, \
CONCAT(m.local_part, '@', d.name) AS user,'%w' as userdb_plain_pass, m.password AS password \
FROM mailboxes AS m LEFT JOIN domains AS d ON m.domain_id = d.id \
WHERE m.local_part = '%n' AND d.name = '%d' AND m.is_active AND d.is_active
As of now each user which connects through POP/IMAP will convert their password to SSHA256.
If you look at the database you will see for example {SSHA256}fb0e7f39c88c1d7017169f7f6b9cd6977d1e3291149382b90da4a390a31e81bab3cdced8 instead off {CRYPT}$1$.gvrgDqc$Slvoapz5zkpVmmJAxi.0k1
When every record is updated you can update dovecot.conf (remove the extra lines), and dovecot-sql (remove the %w-part).
Scripts
/etc/dovecot/loginafter.sh
#!/bin/sh
/etc/dovecot/convertpw.php $USER $PLAIN_PASS
exec "$@"
/etc/dovecot/convertpw.php
#!/usr/bin/php5
<?
#debug file, must exist
$filename = '/tmp/test2.txt';
if (!$handle = fopen($filename, "a")) {
print "Kann die Datei $filename nicht öffnen";
exit;
}
$mysqlhost = "localhost";
$mysqluser = "vboxadm";
// username which is used to connect to the database
$mysqlpass = "xxx";
// password which is used to connect to the database
$mysqldb = "vboxadm";
// databasename where the passwords are stored
$mysqltable = "mailboxes";
// table where the passwords are stored
$passfield = "newpw";
// fieldname where the passwords is stored
#user
$usr = explode("@",$argv[1]);
#fwrite($handle, "Checking User ".$argv[1]."\n");
#plain pass
$ruw = $argv[2];
function ssha256($pw) {
#if(strlen($salt) < 1) {
$salt = make_salt();
#}
return "{SSHA256}" . base64_encode( hash('sha256', $pw . $salt, TRUE ) . $salt );
}
function make_salt() {
$len = 4;
$bytes = array();
for ($i = 0; $i < $len; $i++ ) {
$bytes[] = rand(1,255);
}
$salt_str = '';
foreach ($bytes as $b) {
$salt_str .= pack('C', $b);
}
return $salt_str;
}
$link = mysql_connect ("$mysqlhost", "$mysqluser", "$mysqlpass") or die ("Could not connect");
@mysql_select_db("$mysqldb") or die( "Unable to select database");
$result = mysql_query("SELECT $passfield FROM $mysqltable AS m LEFT JOIN domains AS d ON m.domain_id = d.id WHERE m.local_part = '".$usr[
0]."' AND d.name = '$usr[1]' AND $passfield like '{SSHA%'");
#fwrite($handle, "\n".mysql_num_rows($result)."\n");
if (mysql_num_rows($result)==0){
$newq= "UPDATE $mysqltable,domains SET $mysqltable.$passfield='".ssha256($ruw)."' where $mysqltable.domain_id = domains.id and $m
ysqltable.local_part = '".$usr[0]."' AND domains.name = '".$usr[1]."'";
$res2 = mysql_query($newq);
fwrite($handle, "SQL: $newq\n");
}
fclose($handle);
exit; ?>