[Dovecot] Migrating password scheme

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Thu Mar 21 22:29:05 EET 2013

Zitat von lst_hoe02 at kwsoft.de:

> Zitat von Daryl Richards <daryl at isletech.net>:
>> On 13-03-21 12:51 PM, lst_hoe02 at kwsoft.de wrote:
>>> by the move to Dovecot we try to alter the password encryption  
>>> stored in the database from MD5 to CRYPT-SHA256 along the Guide at  
>>> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly  
>>> working but i still have not found out how to pass the cleartext  
>>> password to the re-encrypting script. According to the HowTo it  
>>> should be enough to add "'%w' AS userdb_plain_pass" to the passdb  
>>> query, to get a environment variable $PLAIN_PASS in the post-login  
>>> script to pass along.
>>> This does not work eg. PLAIN_PASS is always empty. This is Dovecot  
>>> 2.0.19 from Ubuntu 12.04 LTS.
>> It seems to depends on how you are doing your userdb, not passdb..
>> I use a static userdb, so I have:
>> userdb {
>>  args = uid=xx gid=xx home=/xx/xx/%d/%n plain_pass=%w
>>  driver = static
>> }
>> -- 
>> Daryl Richards
>> Isle Technical Services Inc.
> Will try that, thanks.
> Andreas

Hm, no. Same result. The username works fine but the plaintext  
password is not available eg. $PLAIN_PASS is always empty when  
invoking the script.

Settings from 10-master.conf:

service imap {
   # TEMP fuer Password Hashes
   executable = imap imap-postlogin
   # Most of the memory goes to mmap()ing files. You may need to increase this
   # limit if you have huge mailboxes.
   #vsz_limit = 256M

   # Max. number of IMAP processes (connections)
   #process_limit = 1024
   process_limit = 100

service imap-postlogin {
   executable = script-login /etc/dovecot/convert.sh
#  user = $default_internal_user
   unix_listener imap-postlogin {

from 10-auth.conf:

passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql.conf.ext

userdb {
   driver = static
   args = uid=dovemail gid=dovemail home=/var/dovecot/home/%n  
mail=sdbox:/var/dovecot/mail/%n:LAYOUT=fs plainpass=%w

and the script invoked:

echo $USER >> /etc/dovecot/test.log
echo $PLAINPASS >> /etc/dovecot/test.log
echo $HOME >> /etc/dovecot/test.log

/etc/dovecot/pwd-sha.php $USER $PLAINPASS
exec "$@"

The test with echo variable to file show that $PLAINPASS is always  
missing whil the others are there as expected.

Can anyone confirm that it actually works this way??



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6144 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130321/6c3ecb94/attachment.bin>

More information about the dovecot mailing list