1 Topic by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Topic: Login of domain admin to iRedAdmin fails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.0
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have passwords for most accounts in mailbox.password in format {MD5}wyrzTHhK7H1s8xjByoOWqA== (<<< random data, not MD5 sum). The format is copied over from first instalation from 2012.

Everything works fine, just when I grant such user domain admin rights, the user is unable to login to iredadmin (INVALID_CREDENTIALS).

I solved this by changing the password to the same one... stored now in SSHA512.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Login of domain admin to iRedAdmin fails

SSHA512 is way better than MD5.

new mail accounts are generated trough doveadm, which uses SSHA512 by default, maybe in the past it was MD5, but i guess it got dropped and iredadmin was changed to use SSHA512 by default.

i have no idea if you can change from SSHA512 to MD5, but i dodn't see a reason for this either because you should always prefer double salted SHA over MD5

3 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: Login of domain admin to iRedAdmin fails

Thanks for your notes, however it doesn't solve my situation (and possible situation of others).

I do not question the quality of hash algorithms, I just have this situation and have many accounts with old passwords hashed with MD5 which I cannot delegate as admins (there is no way to change MD5 to SSHA512). I even don't know if they can access iredadmin self-service as I don't use it nor propagate it to my users.

I think this should be addressed at least with hint like "change your password" instead of "wrong credentials".

4 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Login of domain admin to iRedAdmin fails

https://github.com/iredmail/iRedAdmin/b … ettings.py

after installation, you should be able to change the default password sheme, but for sql backends, you cant use different shemes, so every account witch is useing ssha now wont be able to login anymore after the change

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Login of domain admin to iRedAdmin fails

Both MD5 and SSHA are supported by iRedAdmin-Pro, login should be fine.
May need further debug to figure out why it doesn't work on your server. sad