2016-05-19 06:51:20 -05:00
<!DOCTYPE html>
2014-09-30 10:13:21 -05:00
< html >
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > Password hashes< / title >
2015-07-31 23:14:52 -05:00
< link rel = "stylesheet" type = "text/css" href = "./css/markdown.css" / >
2014-09-30 10:13:21 -05:00
< / head >
< body >
< div id = "navigation" >
2016-04-19 12:48:51 -05:00
< a href = "/index.html" target = "_blank" >
< img alt = "iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>
< span > iRedMail< / span >
< / a >
2016-04-21 23:33:25 -05:00
// < a href = "./index.html" > Document Index< / a > < / div > < div class = "admonition note" >
2016-11-11 02:56:08 -06:00
< p class = "admonition-title" > This tutorial is available in other languages. < a href = "https://bitbucket.org/zhb/iredmail-docs/src" > Help translate more< / a > < / p >
2016-04-24 09:21:04 -05:00
< p > < a href = "./password.hashes-zh_CN.html" > 简体中文< / a > /< / p >
2016-04-21 23:33:25 -05:00
< / div >
< h1 id = "password-hashes" > Password hashes< / h1 >
2015-12-13 08:10:41 -06:00
< div class = "toc" >
< ul >
< li > < a href = "#password-hashes" > Password hashes< / a > < ul >
< li > < a href = "#password-hashes-supported-by-iredmail" > Password hashes supported by iRedMail< / a > < / li >
< li > < a href = "#default-password-schemes-used-in-iredmail" > Default password schemes used in iRedMail< / a > < / li >
< li > < a href = "#how-to-use-different-password-hashes-in-iredmail" > How to use different password hashes in iRedMail< / a > < ul >
< li > < a href = "#for-mysql-and-postgresql-backends" > For MySQL and PostgreSQL backends< / a > < / li >
< li > < a href = "#for-openldap-backend" > For OpenLDAP backend< / a > < / li >
< / ul >
< / li >
< li > < a href = "#see-also" > See also< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
2014-09-30 10:13:21 -05:00
< h2 id = "password-hashes-supported-by-iredmail" > Password hashes supported by iRedMail< / h2 >
< p > iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
2015-08-19 08:11:02 -05:00
password schemes supported by Dovecot can be used in Postfix. Please refer to
2014-09-30 10:13:21 -05:00
Dovecot wiki page
2015-08-19 08:11:02 -05:00
< a href = "http://wiki2.dovecot.org/Authentication/PasswordSchemes" > < code > Password Schemes< / code > < / a >
for more details.< / p >
2014-09-30 10:13:21 -05:00
< p > Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):< / p >
2015-08-19 08:11:02 -05:00
< ol >
< li > SSHA512. e.g. < code > {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=< / code > < / li >
< li > BCRYPT. e.g. < code > {CRYPT}$2a$05$TKnXV39M3uJ4o.AbY1HbjeAval9bunHbxd0.6Qn782yKoBjTEBXTe< / code > < / li >
< li > SSHA. e.g. < code > {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD< / code > < / li >
2015-02-16 11:15:29 -06:00
< li >
< p > MD5 (salted). For example:< / p >
< ul >
2015-08-19 08:11:02 -05:00
< li > with a prefix: < code > {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250< / code > < / li >
2015-02-16 11:15:29 -06:00
< li > without a prefix: < code > $1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250< / code > < / li >
< / ul >
2015-02-18 03:37:41 -06:00
< p > < strong > Important note< / strong > : SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend < code > {CRYPT}< / code > prefix in password hash.< / p >
2015-02-16 11:15:29 -06:00
< / li >
< li >
2015-08-19 08:11:02 -05:00
< p > PLAIN-MD5 (without a salt). e.g. < code > 0d2bf3c712402f428d48fed691850bfc< / code > < / p >
2015-02-16 11:15:29 -06:00
< / li >
2015-08-19 08:11:02 -05:00
< li > Plain text. e.g. < code > 123456< / code > < / li >
< / ol >
< p > < strong > WARNING< / strong > : MD5, PLAIN-MD5 and plain password are weak, please don't use them.< / p >
2014-11-21 22:05:49 -06:00
< p > < strong > NOTES< / strong > :< / p >
< ul >
2015-08-19 08:11:02 -05:00
< li > < code > BCRYPT< / code > is only available on BSD systems, because < code > libc< / code > shipped in Linux
2014-11-21 22:05:49 -06:00
doesn't support bcrypt.< / li >
2014-09-30 10:13:21 -05:00
< / ul >
< h2 id = "default-password-schemes-used-in-iredmail" > Default password schemes used in iRedMail< / h2 >
< ul >
2014-11-21 22:05:49 -06:00
< li >
< p > For MySQL and PostgreSQL backends:< / p >
< ul >
< li > in iRedMail-0.9.0 and later versions: < code > SSHA512< / code > < / li >
2015-08-19 08:11:02 -05:00
< li > in iRedMail-0.8.7 and earlier versions: < code > salted MD5< / code > < / li >
2014-11-21 22:05:49 -06:00
< / ul >
< / li >
< li >
< p > For LDAP backend: < code > SSHA< / code > .< / p >
2015-02-01 05:31:17 -06:00
< p > OpenLDAP's builtin password verification doesn't support SHA-2 password
hash formats directly, so if you have third-party applications which need
OpenLDAP's builtin password verification, you'd better use < code > SSHA< / code > hash.< / p >
< p > But if you don't have this concern, it's ok to store < code > SSHA512/BCRYPT< / code >
2014-12-26 01:01:53 -06:00
hash as mail user password, then set < code > ldap_bind = no< / code > in
< code > /etc/dovecot/dovecot.conf< / code > . SMTP/IMAP/POP3 services work with it, but
Apache basic auth doesn't.< / p >
2014-11-21 22:05:49 -06:00
< / li >
2014-09-30 10:13:21 -05:00
< / ul >
< h2 id = "how-to-use-different-password-hashes-in-iredmail" > How to use different password hashes in iRedMail< / h2 >
< h3 id = "for-mysql-and-postgresql-backends" > For MySQL and PostgreSQL backends< / h3 >
< p > All mail users are stored in SQL table < code > vmail.mailbox< / code > , user password is stored
2015-08-30 21:20:19 -05:00
in SQL column < code > mailbox.password< / code > . For example (Note: you should replace < code > xx@xx< / code >
with your real email address):< / p >
2015-08-26 23:51:21 -05:00
< pre > < code > sql> USE vmail;
sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
2014-09-30 10:13:21 -05:00
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
< / code > < / pre >
< ul >
< li > To store PLAIN-MD5, you have to prepend < code > {PLAIN-MD5}< / code > in your password hash:< / li >
< / ul >
2015-08-26 23:51:21 -05:00
< pre > < code > sql> USE vmail;
sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
2014-09-30 10:13:21 -05:00
< / code > < / pre >
< ul >
2015-02-01 05:31:17 -06:00
< li > To store plain password, you have to prepend < code > {PLAIN}< / code > :< / li >
2014-09-30 10:13:21 -05:00
< / ul >
2015-08-26 23:51:21 -05:00
< pre > < code > sql> USE vmail;
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';
2015-02-01 05:31:17 -06:00
< / code > < / pre >
2015-08-19 08:11:02 -05:00
< h3 id = "for-openldap-backend" > For OpenLDAP backend< / h3 >
2014-09-30 10:13:21 -05:00
< p > User password is stored in attribute < code > userPassword< / code > of user object.< / p >
< ul >
2015-03-23 07:15:15 -06:00
< li > To store plain password, SSHA, SSHA512 password hash, just store them in
original format. For example:< / li >
< / ul >
< pre > < code > userPassword: 123456
2014-09-30 10:13:21 -05:00
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
2015-03-23 07:15:15 -06:00
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs...
< / code > < / pre >
< ul >
< li > To store standard MD5 password (salted MD5 hash), please prepend < code > {CRYPT}< / code >
2014-09-30 10:13:21 -05:00
(case insensitive) in your password hash. For example:
2015-03-23 07:15:15 -06:00
< code > userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250< / code > < / li >
2014-09-30 10:13:21 -05:00
< / ul >
< p > < strong > IMPORTANT NOTE< / strong > : If you want to input password hash with phpLDAPadmin,
2015-02-01 05:31:17 -06:00
please choose < code > clear< / code > in the password hash list, then input password hash.< / p >
< h2 id = "see-also" > See also< / h2 >
< ul >
< li > < a href = "./reset.user.password.html" > Reset user password< / a > < / li >
2016-05-19 06:51:20 -05:00
< / ul > < div class = "footer" >
< p style = "text-align: center; color: grey;" > All documents are available in < a href = "https://bitbucket.org/zhb/iredmail-docs/src" > BitBucket repository< / a > , and published under < a href = "http://creativecommons.org/licenses/by-nd/3.0/us/" target = "_blank" > Creative Commons< / a > license. You can < a href = "https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2" > download the latest version< / a > for offline reading. If you found something wrong, please do < a href = "http://www.iredmail.org/contact.html" > contact us< / a > to fix it.< / p >
< / div >
< script type = "text/javascript" >
2015-02-05 07:02:53 -06:00
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-3293801-21', 'auto');
ga('send', 'pageview');
2014-10-13 19:28:43 -05:00
< / script >
< / body > < / html >