1

Topic: Migrated passwords / iredadmin don't like sha512

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have iredadmin 3.3 mysql.

I am working on migrating a mail server that uses dovecot and user account passwords stored in ssha512 format.

password' => "random123!@#"

source hash =>
$6$dxg70bhVRTKVv3WW$bjZCbdnFkI00u9dsSubOlpiq8UZmgrD75mIExrsWb3aw37QlkWOwQuzVZKFXjINYmagWrhxqh4GJUzCUHq3rV.',

I can create the user and such on my system, and I can poke the above value into the database directly and then I can proceed to login to webmail etc with the cleartext password as you would expect. HOWEVER, I cannot log into iredadmin as that same user/password. HOWEVER, if I use the iredadmin web interface to set the password, then I can. Heres a dump from the db directly after changing the password to the above string:

'password' => '{SSHA512}S7KAbDzjXcSVsCof3gSrSmxYi9GzZ26XlXssl+uf2mHC8tCxxKAM83DyGD0MAQOnQWVGi93zIb9tcdiJcV0UviXYDVKew3/e

(Yes I know the salt makes the strings different)

What I am trying to accomplish here is a migration from one server with users and their hashed/salted passwords, and obviously I don't know what they are. The source hash should be compatible, and dovecot still likes my "$6$" prefixed hash, but iredadmin does not. I suspect it could be an easy fix however.

Thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Migrated passwords / iredadmin don't like sha512

Please store password with "{SHA512-CRYPT}" prefix in SQL db, then patch iRedAdmin-Pro to support it. Note: restarting "iredadmin" service is required after patched.

diff -r 647cc1cbb4ee libs/iredpwd.py
--- a/libs/iredpwd.py   Wed Jun 19 14:32:58 2019 +0800
+++ b/libs/iredpwd.py   Wed Jun 19 14:35:15 2019 +0800
@@ -468,6 +468,8 @@
         return verify_cram_md5_password(challenge_password, plain_password)
     elif upwd.startswith('{NTLM}'):
         return verify_ntlm_password(challenge_password, plain_password)
+    elif upwd.startswith('{SHA512-CRYPT}'):
+        return verify_password_with_doveadmpw(challenge_password, plain_password)
 
     return False
 

Verified locally and it works for me. This patch will be available in next iRedAdmin-Pro release.

Note: SHA512-CRYPT is not available on BSD system with "doveadm pw" (actually openssl/libressl).