diff --git a/en_US/migrations/2-password.hashes.md b/en_US/migrations/2-password.hashes.md
index 54b9b70f..f90368c1 100644
--- a/en_US/migrations/2-password.hashes.md
+++ b/en_US/migrations/2-password.hashes.md
@@ -41,16 +41,24 @@ __NOTES__:
* in iRedMail-0.9.0 and later versions: `SSHA512`
* in iRedMail-0.8.7 and earlier versions: `salted MD5`
-* For LDAP backend: `SSHA`.
+* For LDAP backends:
+ * in iRedMail-0.9.5 and later versions:
+ * Debian 8, Ubuntu 16.04, FreeBSD: `SSHA512`
+ * RHEL/CentOS 6/7, Ubuntu 14.04, OpenBSD: `SSHA`. OpenLDAP package
+ shipped in these distributions don't support SHA-2 password
+ verification by default.
+ * in iRedMail-0.9.4 and earlier versions: `SSHA`.
- OpenLDAP's builtin password verification doesn't support SHA-2 password
- hash formats directly, so if you have third-party applications which need
- OpenLDAP's builtin password verification, you'd better use `SSHA` hash.
+ !!! note
- But if you don't have this concern, it's ok to store `SSHA512/BCRYPT`
- hash as mail user password, then set `ldap_bind = no` in
- `/etc/dovecot/dovecot.conf`. SMTP/IMAP/POP3 services work with it, but
- Apache basic auth doesn't.
+ OpenLDAP's builtin password verification doesn't support SHA-2 password
+ hash formats directly, so if you have third-party applications which need
+ OpenLDAP's builtin password verification, you'd better use `SSHA` hash.
+
+ If you don't have such concern, it's ok to store `SSHA512/BCRYPT`
+ hash as mail user password, then set `ldap_bind = no` in
+ `/etc/dovecot/dovecot.conf`. SMTP/IMAP/POP3 services work with it, but
+ Apache basic auth doesn't.
## How to use different password hashes in iRedMail
diff --git a/html/password.hashes.html b/html/password.hashes.html
index e969d853..97267246 100644
--- a/html/password.hashes.html
+++ b/html/password.hashes.html
@@ -77,14 +77,27 @@ prepend {CRYPT}
prefix in password hash.
For LDAP backend: SSHA
.
For LDAP backends:
+SSHA512
SSHA
. OpenLDAP package
+ shipped in these distributions don't support SHA-2 password
+ verification by default.SSHA
.Note
OpenLDAP's builtin password verification doesn't support SHA-2 password
hash formats directly, so if you have third-party applications which need
OpenLDAP's builtin password verification, you'd better use SSHA
hash.
But if you don't have this concern, it's ok to store SSHA512/BCRYPT
+
If you don't have such concern, it's ok to store SSHA512/BCRYPT
hash as mail user password, then set ldap_bind = no
in
/etc/dovecot/dovecot.conf
. SMTP/IMAP/POP3 services work with it, but
Apache basic auth doesn't.