1

Topic: Password hashes when migrating iRedMail between BSD and Linux

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1.2
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: Debian 10.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

This is more of an application note than anything else. I did not see it covered in the iRedmail documentation or forum posts.

When migrating iRedmail between BSD and Linux systems, it's important to note that the BSD and Linux use different hashing algorithms to store passwords. zhb discusses password hashes here:

https://docs.iredmail.org/password.hashes.html

This recently bit me when I migrated from a FreeBSD to a Debian server. The MariaDB databases _seemed_ to export and import OK, but logins to mail or SOGo or iRedAdmin-Pro wouldn't work because passwords were hashed using BCRYPT on the old FreeBSD system. BCRYPT is a BSD thing; Linux systems use salted SHA-512 (SSHA512) hashes.

After regenerating the password hashes with SSHA512 and updating the databases, logins worked OK. (This required changing any passwords I didn't know.)

There are tools in PHP and Python (and probably other ways) to generate SSHA512 hashes. Here's a snippet in Python:

https://gist.github.com/garrettreid/8329796

I have not verified that migrations from Linux to FreeBSD or OpenBSD would require changing hashes from SSHA512 to BCRYPT but I presume this would be a requirement there as well.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Password hashes when migrating iRedMail between BSD and Linux

cvcvelo wrote:

BCRYPT is a BSD thing

Not anymore.

In Dovecot-2.2 and earlier versions, it relies on the libc offered by system, but the libc shipped in most linux distributions don't support bcrypt, so Dovecot-2.2 doesn't support it.

But since 2.3, Dovecot supports bcrypt itself, so you don't need to reset password. Debian 10 ships Dovecot-2.3.4, your old passwords used on FreeBSD should work fine without any change.

Note: Dovecot uses scheme name/prefix "{BLF-CRYPT}" instead of "{BCRYPT}".