Review: use.or.migrate.password.hashes.md.

This commit is contained in:
Zhang Huangbin 2014-09-17 17:15:21 +08:00
parent 4fcecac6bc
commit 8f0bcd4799
9 changed files with 159 additions and 70 deletions

View File

@ -5,7 +5,7 @@
### Why iRedMail doesn't enable SMTPS (SMTP over SSL) by default
SMTPS is deprecated, so iRedMail disable it by default.
Quote from wikipedia.org: http://en.wikipedia.org/wiki/SMTPS
Quote from (wikipedia.org)[http://en.wikipedia.org/wiki/SMTPS]
> Originally, in early 1997, the Internet Assigned Numbers Authority registered 465 for SMTPS. By the end of 1998, this was revoked when STARTTLS has been specified. With STARTTLS, the same port can be used with or without TLS. SMTP was seen as particularly important, because clients of this protocol are often other mail servers, which can not know whether a server they wish to communicate with will have a separate port for TLS. The port 465 is now registered for Source-Specific Multicast audio and video.

View File

@ -16,8 +16,8 @@ external-pipe unix - n n - - pipe
__Note__:
* You can use some macros to replace with corresponding information from the
Postfix queue manager delivery request. Refer to Postfix manual page for more
detail: ()[http://www.postfix.org/pipe.8.html]. For example:
Postfix queue manager delivery request. Refer to Postfix manual page
[pipe(8)](http://www.postfix.org/pipe.8.html) for more details. For example:
```
external-pipe unix - n n - - pipe
@ -45,11 +45,11 @@ this user will be piped to this new transport - your script.
* If you have iRedAdmin-Pro:
* For iRedAdmin-Pro-LDAP installed, please go to user profile page, under
tab `Advanced`, set `Relay/Transport setting` to `external-pipe`. Screenshot for
your reference: ()[http://www.iredmail.org/images/iredadmin/user_profile_relay.png]
tab `Advanced`, set `Relay/Transport setting` to `external-pipe`.
[Screenshot](http://www.iredmail.org/images/iredadmin/user_profile_relay.png) for your reference:
* For iRedAdmin-Pro-MySQL or iRedAdmin-Pro-PGSQL installed, please go
to user profile page, under tab `Relay`, set `/Transport setting` to
to user profile page, under tab `Relay`, set `Relay/Transport setting` to
`external-pipe`.
* If you don't have iRedAdmin-Pro, please update LDAP/MySQL/PgSQL database to
@ -61,9 +61,9 @@ use this new transport.
* For MySQL/PostgreSQL backend, please execute below command with SQL
command line tool (Replace 'user@domain.ltd' by the real email address):
```mysql
<pre>
sql> USE vmail;
sql> UPDATE mailbox SET transport='external-pipe' WHERE username='user@domain.ltd';
```
</pre>
That's all.

View File

@ -0,0 +1,64 @@
# How to use or migrate password hashes
## Password hashes supported by iRedMail
iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
password schemes supported by Dovecot can be used in iRedMail. Please refer to
Dovecot wiki page
[`Password Schemes`](http://wiki2.dovecot.org/Authentication/PasswordSchemes) for more details.
Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):
* Plain text. e.g. `123456`
* MD5. (salted. e.g. `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
* PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
* SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`
* SSHA512. e.g. `{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=`
__NOTE__: Dovecot claims it supports SSHA512, but I didn't get it work.
Please test it first if you choose SSHA512.
## Default password schemes used in iRedMail
* For MySQL and PostgreSQL backends: `MD5` (salted).
* For LDAP backend: `SSHA`.
## How to use different password hashes in iRedMail
### For MySQL and PostgreSQL backends
All mail users are stored in SQL table `vmail.mailbox`, user password is stored
in SQL column `mailbox.password`. For example:
<pre>
sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
</pre>
* To store PLAIN-MD5, you have to prepend `{PLAIN-MD5}` in your password hash:
<pre>
sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
</pre>
* To store plain password, you have to prepend `{PLAIN}`:
<pre>sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';</pre>
### For LDAP backends
User password is stored in attribute `userPassword` of user object.
* To store plain password, SSHA, SSHA512 password hash, just store them in
original format. For example:
<pre>
userPassword: 123456
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</pre>
* To store standard MD5 password (salted MD5 hash), please prepend `{CRYPT}`
(case insensitive) in your password hash. For example:
<pre>userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</pre>
__IMPORTANT NOTE__: If you want to input password hash with phpLDAPadmin,
please choose `clear` in the password hash list, then input password hash.

View File

@ -14,8 +14,8 @@ p {
margin-bottom: 4px;
padding: 0;
}
h1 { font-size: 36px; }
h2 { font-size: 24px; }
h1 { font-size: 48px; }
h2 { font-size: 36px; padding-top: 24px;}
h3 { font-size: 24px; }
h4 { font-size: 21px; }
h5 { font-size: 18px; }
@ -249,11 +249,13 @@ pre, code {
border-radius: 3px;
overflow-x: auto;
padding: 5px 10px 5px 10px;
word-wrap: normal
word-wrap: normal;
font-size: 14px;
line-height: 20px;
}
code {padding: 1px 5px 1px 5px;}
code { padding: 1px 5px 1px 5px; }
pre>code {
margin: 0;
border: 0;
padding: 1px 3px;
padding: 5px 10px 5px 10px;
}

View File

@ -20,7 +20,7 @@
</div>
<h3 id="why-iredmail-doesnt-enable-smtps-smtp-over-ssl-by-default">Why iRedMail doesn't enable SMTPS (SMTP over SSL) by default</h3>
<p>SMTPS is deprecated, so iRedMail disable it by default.
Quote from wikipedia.org: http://en.wikipedia.org/wiki/SMTPS</p>
Quote from (wikipedia.org)[http://en.wikipedia.org/wiki/SMTPS]</p>
<blockquote>
<p>Originally, in early 1997, the Internet Assigned Numbers Authority registered 465 for SMTPS. By the end of 1998, this was revoked when STARTTLS has been specified. With STARTTLS, the same port can be used with or without TLS. SMTP was seen as particularly important, because clients of this protocol are often other mail servers, which can not know whether a server they wish to communicate with will have a separate port for TLS. The port 465 is now registered for Source-Specific Multicast audio and video.</p>
</blockquote>

View File

@ -19,8 +19,8 @@ config file <code>/etc/postfix/master.cf</code>:</p>
<p><strong>Note</strong>:</p>
<ul>
<li>You can use some macros to replace with corresponding information from the
Postfix queue manager delivery request. Refer to Postfix manual page for more
detail: ()[http://www.postfix.org/pipe.8.html]. For example:</li>
Postfix queue manager delivery request. Refer to Postfix manual page
<a href="http://www.postfix.org/pipe.8.html">pipe(8)</a> for more details. For example:</li>
</ul>
<pre><code>external-pipe unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/path/to/your/external/script.sh -f ${sender} -d ${user}@${domain} -m ${extension}
@ -47,12 +47,12 @@ this user will be piped to this new transport - your script.</p>
<ul>
<li>
<p>For iRedAdmin-Pro-LDAP installed, please go to user profile page, under
tab <code>Advanced</code>, set <code>Relay/Transport setting</code> to <code>external-pipe</code>. Screenshot for
your reference: ()[http://www.iredmail.org/images/iredadmin/user_profile_relay.png]</p>
tab <code>Advanced</code>, set <code>Relay/Transport setting</code> to <code>external-pipe</code>.
<a href="http://www.iredmail.org/images/iredadmin/user_profile_relay.png">Screenshot</a> for your reference:</p>
</li>
<li>
<p>For iRedAdmin-Pro-MySQL or iRedAdmin-Pro-PGSQL installed, please go
to user profile page, under tab <code>Relay</code>, set <code>/Transport setting</code> to
to user profile page, under tab <code>Relay</code>, set <code>Relay/Transport setting</code> to
<code>external-pipe</code>.</p>
</li>
</ul>
@ -72,8 +72,9 @@ use this new transport.</p>
</ul>
</li>
</ul>
<pre><code class="mysql">sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET transport='external-pipe' WHERE username='user@domain.ltd';
</code></pre>
<pre>
sql> USE vmail;
sql> UPDATE mailbox SET transport='external-pipe' WHERE username='user@domain.ltd';
</pre>
<p>That's all.</p></body></html>

View File

@ -0,0 +1,69 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link href="../css/markdown.css" rel="stylesheet"></head>
</head>
<body>
<h1 id="how-to-use-or-migrate-password-hashes">How to use or migrate password hashes</h1>
<h2 id="password-hashes-supported-by-iredmail">Password hashes supported by iRedMail</h2>
<p>iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
password schemes supported by Dovecot can be used in iRedMail. Please refer to
Dovecot wiki page
<a href="http://wiki2.dovecot.org/Authentication/PasswordSchemes"><code>Password Schemes</code></a> for more details.</p>
<p>Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):</p>
<ul>
<li>Plain text. e.g. <code>123456</code></li>
<li>MD5. (salted. e.g. <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
<li>PLAIN-MD5 (unsalted MD5). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></li>
<li>SSHA. e.g. <code>{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD</code></li>
<li>SSHA512. e.g. <code>{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</code></li>
</ul>
<p><strong>NOTE</strong>: Dovecot claims it supports SSHA512, but I didn't get it work.
Please test it first if you choose SSHA512.</p>
<h2 id="default-password-schemes-used-in-iredmail">Default password schemes used in iRedMail</h2>
<ul>
<li>For MySQL and PostgreSQL backends: <code>MD5</code> (salted).</li>
<li>For LDAP backend: <code>SSHA</code>.</li>
</ul>
<h2 id="how-to-use-different-password-hashes-in-iredmail">How to use different password hashes in iRedMail</h2>
<h3 id="for-mysql-and-postgresql-backends">For MySQL and PostgreSQL backends</h3>
<p>All mail users are stored in SQL table <code>vmail.mailbox</code>, user password is stored
in SQL column <code>mailbox.password</code>. For example:</p>
<pre>
sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
</pre>
<ul>
<li>To store PLAIN-MD5, you have to prepend <code>{PLAIN-MD5}</code> in your password hash:</li>
</ul>
<pre>
sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
</pre>
<ul>
<li>To store plain password, you have to prepend <code>{PLAIN}</code>:
<pre>sql&gt; UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';</pre></li>
</ul>
<h3 id="for-ldap-backends">For LDAP backends</h3>
<p>User password is stored in attribute <code>userPassword</code> of user object.</p>
<ul>
<li>
<p>To store plain password, SSHA, SSHA512 password hash, just store them in
original format. For example:
<pre>
userPassword: 123456
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</pre></p>
</li>
<li>
<p>To store standard MD5 password (salted MD5 hash), please prepend <code>{CRYPT}</code>
(case insensitive) in your password hash. For example:
<pre>userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</pre></p>
</li>
</ul>
<p><strong>IMPORTANT NOTE</strong>: If you want to input password hash with phpLDAPadmin,
please choose <code>clear</code> in the password hash list, then input password hash.</p></body></html>

View File

@ -15,6 +15,7 @@
<li><a href="faq-howto/howto.enable.smtps.service.html"> How to enable SMTPS service (SMTP over SSL, port 465)</a></li>
<li><a href="faq-howto/pipe.incoming.email.for.certain.user.to.external.script.html"> How to pipe incoming email for certain user to external script </a></li>
<li><a href="faq-howto/unattended.iredmail.installation.html"> How to perform silent/unattended iRedMail installation</a></li>
<li><a href="faq-howto/use.or.migrate.password.hashes.html"> How to use or migrate password hashes</a></li>
</ul>
<h1 id="backup-and-restore">Backup and Restore</h1>
<ul>

View File

@ -1,48 +0,0 @@
<http://www.iredmail.org/wiki/index.php?title=IRedMail/FAQ/use.or.migrate.password.hashes>
#How to use or migrate password hashes
## Password hashes supported by iRedMail
iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all password schemes supported by Dovecot can be used in iRedMail. Please refer to Dovecot wiki page for more details: <http://wiki2.dovecot.org/Authentication/PasswordSchemes>
Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):
* Plain text. (e.g. '123456')
* MD5. (salted. e.g. $1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250)
* PLAIN-MD5. (unsalted. e.g. 0d2bf3c712402f428d48fed691850bfc)
* SSHA. (e.g. {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD)
* SSHA512. (e.g. {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=)
##Default password schemes used in iRedMail
* In MySQL and PostgreSQL backends, iRedMail stores password as salted MD5 hash. For example: __$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250__
* In OpenLDAP backend, iRedMail stores password as SSHA hash. For example: __{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD__.
##How to use different password hashes in iRedMail
###For MySQL and PostgreSQL backends
All mail users are stored in SQL table "vmail.mailbox", user password is stored in SQL column "mailbox.password".
* To store standard MD5 password (salted MD5 hash) or SSHA, SSHA512, just store the password hash in column "mailbox.password". For example:
<pre>sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
</pre>
* To store PLAIN-MD5, you have to prepend __{PLAIN-MD5}__ in your password hash:
<pre>sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';</pre>
* To store plain password, you have to prepend __{PLAIN}__:
<pre>sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';</pre>
###For OpenLDAP backends
User password is stored in LDAP user object, in attribute "userPassword".
* To store plain password, SSHA, SSHA512 password hash, just store them in original format. For example:
<pre>userPassword: 123456
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</pre>
* To store standard MD5 password (salted MD5 hash), please prepend __{crypt}__ in your password hash. For example:
<pre>userPassword: {crypt}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</pre>
__IMPORTANT NOTE__: If you want to input password hash with phpLDAPadmin, please choose "clear" in the password hash list in phpLDAPadmin, then input "{crypt}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250" (without quotes, of course).