2014-09-20 05:50:50 -05:00
# Password hashes
2014-09-17 04:15:21 -05:00
2015-12-13 08:10:41 -06:00
[TOC]
2014-09-17 04:15:21 -05:00
## Password hashes supported by iRedMail
iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
2015-08-19 08:11:02 -05:00
password schemes supported by Dovecot can be used in Postfix. Please refer to
2014-09-17 04:15:21 -05:00
Dovecot wiki page
2015-08-19 08:11:02 -05:00
[`Password Schemes` ](http://wiki2.dovecot.org/Authentication/PasswordSchemes )
for more details.
2014-09-17 04:15:21 -05:00
Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):
2015-08-19 08:11:02 -05:00
1. SSHA512. e.g. `{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=`
1. BCRYPT. e.g. `{CRYPT}$2a$05$TKnXV39M3uJ4o.AbY1HbjeAval9bunHbxd0.6Qn782yKoBjTEBXTe`
1. SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`
1. MD5 (salted). For example:
2015-02-16 11:15:29 -06:00
2015-08-19 08:11:02 -05:00
* with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
2015-02-16 11:15:29 -06:00
* without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
2015-02-18 03:37:41 -06:00
__Important note__ : SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend `{CRYPT}` prefix in password hash.
2015-02-16 11:15:29 -06:00
2015-08-19 08:11:02 -05:00
1. PLAIN-MD5 (without a salt). e.g. `0d2bf3c712402f428d48fed691850bfc`
1. Plain text. e.g. `123456`
__WARNING__: MD5, PLAIN-MD5 and plain password are weak, please don't use them.
2014-09-17 04:15:21 -05:00
2014-11-21 22:05:49 -06:00
__NOTES__:
2015-08-19 08:11:02 -05:00
* `BCRYPT` is only available on BSD systems, because `libc` shipped in Linux
2014-11-21 22:05:49 -06:00
doesn't support bcrypt.
2014-09-17 04:15:21 -05:00
## Default password schemes used in iRedMail
2014-11-21 22:05:49 -06:00
* For MySQL and PostgreSQL backends:
* in iRedMail-0.9.0 and later versions: `SSHA512`
2015-08-19 08:11:02 -05:00
* in iRedMail-0.8.7 and earlier versions: `salted MD5`
2014-11-21 22:05:49 -06:00
2016-12-29 09:18:06 -06:00
* For LDAP backends:
* in iRedMail-0.9.5 and later versions:
* Debian 8, Ubuntu 16.04, FreeBSD: `SSHA512`
* RHEL/CentOS 6/7, Ubuntu 14.04, OpenBSD: `SSHA` . OpenLDAP package
shipped in these distributions don't support SHA-2 password
verification by default.
* in iRedMail-0.9.4 and earlier versions: `SSHA` .
!!! note
OpenLDAP's builtin password verification doesn't support SHA-2 password
hash formats directly, so if you have third-party applications which need
OpenLDAP's builtin password verification, you'd better use `SSHA` hash.
If you don't have such concern, it's ok to store `SSHA512/BCRYPT`
hash as mail user password, then set `ldap_bind = no` in
`/etc/dovecot/dovecot.conf` . SMTP/IMAP/POP3 services work with it, but
Apache basic auth doesn't.
2014-12-26 01:01:53 -06:00
2014-09-17 04:15:21 -05:00
## How to use different password hashes in iRedMail
### For MySQL and PostgreSQL backends
All mail users are stored in SQL table `vmail.mailbox` , user password is stored
2015-08-30 21:20:19 -05:00
in SQL column `mailbox.password` . For example (Note: you should replace `xx@xx`
with your real email address):
2015-08-19 08:11:02 -05:00
2014-09-20 05:55:33 -05:00
```
2015-08-26 23:51:21 -05:00
sql> USE vmail;
2014-09-17 04:15:21 -05:00
sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
2014-09-20 05:55:33 -05:00
```
2014-09-17 04:15:21 -05:00
* To store PLAIN-MD5, you have to prepend `{PLAIN-MD5}` in your password hash:
2015-02-01 05:31:17 -06:00
2014-09-20 05:55:33 -05:00
```
2015-08-26 23:51:21 -05:00
sql> USE vmail;
2014-09-17 04:15:21 -05:00
sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
2014-09-20 05:55:33 -05:00
```
2014-09-17 04:15:21 -05:00
* To store plain password, you have to prepend `{PLAIN}` :
2015-02-01 05:31:17 -06:00
```
2015-08-26 23:51:21 -05:00
sql> USE vmail;
2015-02-01 05:31:17 -06:00
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';
```
2014-09-17 04:15:21 -05:00
2015-08-19 08:11:02 -05:00
### For OpenLDAP backend
2014-09-17 04:15:21 -05:00
User password is stored in attribute `userPassword` of user object.
* To store plain password, SSHA, SSHA512 password hash, just store them in
original format. For example:
2015-03-23 07:15:15 -06:00
2014-09-20 05:55:33 -05:00
```
2014-09-17 04:15:21 -05:00
userPassword: 123456
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
2015-03-23 07:15:15 -06:00
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs...
```
2014-09-17 04:15:21 -05:00
* To store standard MD5 password (salted MD5 hash), please prepend `{CRYPT}`
(case insensitive) in your password hash. For example:
2014-09-20 05:55:33 -05:00
```userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250```
2014-09-17 04:15:21 -05:00
__IMPORTANT NOTE__: If you want to input password hash with phpLDAPadmin,
please choose `clear` in the password hash list, then input password hash.
2015-02-01 05:31:17 -06:00
## See also
* [Reset user password ](./reset.user.password.html )
