162 lines
7.5 KiB
HTML
162 lines
7.5 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Password hashes</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="https://www.iredmail.org" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><div class="admonition note">
|
|
<p class="admonition-title">This tutorial is available in other languages. <a href="https://github.com/iredmail/docs">Help translate more</a></p>
|
|
<p><a href="./password.hashes-zh_CN.html">简体中文</a> /</p>
|
|
</div>
|
|
<h1 id="password-hashes">Password hashes</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#password-hashes">Password hashes</a><ul>
|
|
<li><a href="#password-hashes-supported-by-iredmail">Password hashes supported by iRedMail</a></li>
|
|
<li><a href="#default-password-schemes-used-in-iredmail">Default password schemes used in iRedMail</a></li>
|
|
<li><a href="#how-to-use-different-password-hashes-in-iredmail">How to use different password hashes in iRedMail</a><ul>
|
|
<li><a href="#for-mysql-and-postgresql-backends">For MySQL and PostgreSQL backends</a></li>
|
|
<li><a href="#for-openldap-backend">For OpenLDAP backend</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#see-also">See also</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<h2 id="password-hashes-supported-by-iredmail">Password hashes supported by iRedMail</h2>
|
|
<p>iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
|
|
password schemes supported by Dovecot can be used in Postfix. Please refer to
|
|
Dovecot wiki page
|
|
<a href="http://wiki2.dovecot.org/Authentication/PasswordSchemes"><code>Password Schemes</code></a>
|
|
for more details.</p>
|
|
<p>Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):</p>
|
|
<ol>
|
|
<li>SSHA512. e.g. <code>{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</code></li>
|
|
<li>BCRYPT. e.g. <code>{CRYPT}$2a$05$TKnXV39M3uJ4o.AbY1HbjeAval9bunHbxd0.6Qn782yKoBjTEBXTe</code></li>
|
|
<li>SSHA. e.g. <code>{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD</code></li>
|
|
<li>
|
|
<p>MD5 (salted). For example:</p>
|
|
<ul>
|
|
<li>with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
|
|
<li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
|
|
</ul>
|
|
<p><strong>Important note</strong>: SOGo groupware doesn't support MD5 without a prefix, so
|
|
if you're going to migrate MD5 password hash from old mail server, please
|
|
prepend <code>{CRYPT}</code> prefix in password hash.</p>
|
|
</li>
|
|
<li>
|
|
<p>PLAIN-MD5 (without a salt). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p>
|
|
</li>
|
|
<li>Plain text. e.g. <code>123456</code></li>
|
|
</ol>
|
|
<p><strong>WARNING</strong>: MD5, PLAIN-MD5 and plain password are weak, please don't use them.</p>
|
|
<p><strong>NOTES</strong>:</p>
|
|
<ul>
|
|
<li><code>BCRYPT</code> is only available on BSD systems, because <code>libc</code> shipped in Linux
|
|
doesn't support bcrypt.</li>
|
|
</ul>
|
|
<h2 id="default-password-schemes-used-in-iredmail">Default password schemes used in iRedMail</h2>
|
|
<ul>
|
|
<li>
|
|
<p>For MySQL and PostgreSQL backends:</p>
|
|
<ul>
|
|
<li>in iRedMail-0.9.0 and later versions: <code>SSHA512</code></li>
|
|
<li>in iRedMail-0.8.7 and earlier versions: <code>salted MD5</code></li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
<p>For LDAP backends:</p>
|
|
<ul>
|
|
<li>in iRedMail-0.9.5 and later versions:<ul>
|
|
<li>Debian 8, Ubuntu 16.04, FreeBSD: <code>SSHA512</code></li>
|
|
<li>RHEL/CentOS 6/7, Ubuntu 14.04, OpenBSD: <code>SSHA</code>. OpenLDAP package
|
|
shipped in these distributions don't support SHA-2 password
|
|
verification by default.</li>
|
|
</ul>
|
|
</li>
|
|
<li>in iRedMail-0.9.4 and earlier versions: <code>SSHA</code>.</li>
|
|
</ul>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Note</p>
|
|
<p>OpenLDAP's builtin password verification doesn't support SHA-2 password
|
|
hash formats directly, so if you have third-party applications which need
|
|
OpenLDAP's builtin password verification, you'd better use <code>SSHA</code> hash.</p>
|
|
<p>If you don't have such concern, it's ok to store <code>SSHA512/BCRYPT</code>
|
|
hash as mail user password, then set <code>ldap_bind = no</code> in
|
|
<code>/etc/dovecot/dovecot.conf</code>. SMTP/IMAP/POP3 services work with it, but
|
|
Apache basic auth doesn't.</p>
|
|
</div>
|
|
</li>
|
|
</ul>
|
|
<h2 id="how-to-use-different-password-hashes-in-iredmail">How to use different password hashes in iRedMail</h2>
|
|
<h3 id="for-mysql-and-postgresql-backends">For MySQL and PostgreSQL backends</h3>
|
|
<p>All mail users are stored in SQL table <code>vmail.mailbox</code>, user password is stored
|
|
in SQL column <code>mailbox.password</code>. For example (Note: you should replace <code>xx@xx</code>
|
|
with your real email address):</p>
|
|
<pre><code>sql> USE vmail;
|
|
|
|
sql> UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
|
|
sql> UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
|
|
sql> UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>To store PLAIN-MD5, you have to prepend <code>{PLAIN-MD5}</code> in your password hash:</li>
|
|
</ul>
|
|
<pre><code>sql> USE vmail;
|
|
sql> UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>To store plain password, you have to prepend <code>{PLAIN}</code>:</li>
|
|
</ul>
|
|
<pre><code>sql> USE vmail;
|
|
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';
|
|
</code></pre>
|
|
|
|
<h3 id="for-openldap-backend">For OpenLDAP backend</h3>
|
|
<p>User password is stored in attribute <code>userPassword</code> of user object.</p>
|
|
<ul>
|
|
<li>To store plain password, SSHA, SSHA512 password hash, just store them in
|
|
original format. For example:</li>
|
|
</ul>
|
|
<pre><code>userPassword: 123456
|
|
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
|
|
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs...
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>To store standard MD5 password (salted MD5 hash), please prepend <code>{CRYPT}</code>
|
|
(case insensitive) in your password hash. For example:
|
|
<code>userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
|
|
</ul>
|
|
<p><strong>IMPORTANT NOTE</strong>: If you want to input password hash with phpLDAPadmin,
|
|
please choose <code>clear</code> in the password hash list, then input password hash.</p>
|
|
<h2 id="see-also">See also</h2>
|
|
<ul>
|
|
<li><a href="./reset.user.password.html">Reset user password</a></li>
|
|
</ul><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div>
|
|
<!-- Global site tag (gtag.js) - Google Analytics -->
|
|
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
|
<script>
|
|
window.dataLayer = window.dataLayer || [];
|
|
function gtag(){dataLayer.push(arguments);}
|
|
gtag('js', new Date());
|
|
|
|
gtag('config', 'UA-3293801-21');
|
|
</script>
|
|
</body></html> |