Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th February 2012, 21:20
patrick3853 patrick3853 is offline
Member
 
Join Date: Dec 2008
Posts: 30
Thanks: 3
Thanked 7 Times in 3 Posts
Default Migrate mail_user passwords from ISPConfig3

Quick question,

I have installed and configured a new virtual email server based off this tutorial with a few changes:

http://www.howtoforge.com/virtual-us...l-ubuntu-11.10

I have an existing server with ISPConfig3 and several hundred email accounts. Migrating the virtual emails accounts is pretty straight forward, but I'm stuck on the `password` field in the `mail_user` table. I have used MySQL's CRYPT function without any salt for `password` in my user table on the new server. This does not appear to be the same method ISPConfig3 is using in its `mail_user` table. Does it use a different encryption function and/or is any salt used? I want to use the same encryption method for the `password` field on my new server so I can simply import `email` and `password` from `mail_user` to the table on my new server. Thanks in advance for any help!
Reply With Quote
Sponsored Links
  #2  
Old 7th February 2012, 08:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,239 Times in 4,107 Posts
Default

ISPConfig uses crypt with salt. The crypt method is named crypt-md5 and is the default that is used by most linux distributions e.g. for /etc/passwd
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 7th February 2012, 16:29
patrick3853 patrick3853 is offline
Member
 
Join Date: Dec 2008
Posts: 30
Thanks: 3
Thanked 7 Times in 3 Posts
Default

Thanks Till. How can I find the salt that is used? I really don't want to ask several hundred email users to reset passwords.
Reply With Quote
  #4  
Old 7th February 2012, 16:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,239 Times in 4,107 Posts
Default

There is a description of the several crypt mechanisms avaialble on wikipedia:

http://en.wikipedia.org/wiki/Crypt_(...5-based_scheme

A crspt string is separated in 3 parts by the $ char, like $1$aaaaaaaa$bbbbbbbbb The first number (here 1) is the encryption mechanism while the aaaaa is the salt and the bbbbb is the resulting encrypted password.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 7th February 2012, 17:46
patrick3853 patrick3853 is offline
Member
 
Join Date: Dec 2008
Posts: 30
Thanks: 3
Thanked 7 Times in 3 Posts
Default

Thanks but I'm still a little confused. I have limited experience with encryption but I glanced at all the passwords in mail_user and they don't look anything like regular md5 hashes. This what i typically use by calling MD5('password'). What I'm looking for is the MySQL function I would call on a password value to generate the exact same encrypted value that 'password' would have in ISPConfig3's mail_user.

For example, do I call ENCRYPT('password'), do I need to provide a salt value as the second argument, or do I use an entirely different function?
Reply With Quote
  #6  
Old 7th February 2012, 19:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,239 Times in 4,107 Posts
Default

They are crypt-md5 hashes, not md5 hashes. Please read the wikipedia article if you like to know more about the encryption mechanisms on linux servers. You can crwate crypt passwords with the php crypt function and postfix, sasl, dovecot and courier have native support for this encryption, so you dont need a mysql command for it. Storing passwords as plain crypt is not secure against dictnary attacks, thst why it is not used for linux passworss and not used by ispconfig as well.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
patrick3853 (7th February 2012)
  #7  
Old 7th February 2012, 21:13
patrick3853 patrick3853 is offline
Member
 
Join Date: Dec 2008
Posts: 30
Thanks: 3
Thanked 7 Times in 3 Posts
Default

Okay, I understand now. I was thinking that since CRYPT('password') did not create the same value as what was stored for 'password' in ISPConfig3's `mail_user` that the authentication would not work.

What I just discovered is postfix/sasl/courier can authenticate with any of the different crypt methods. So actually, i can copy over the user and password field from mail_user to my email server's db yet use mysql's CRYPT('password') for any new passwords created and the authentication will work for both of them.

Sorry, this the first virtual email server I have set up manually without using ISPConfig so I was confused about how the authentication works. Thanks for the quick education on crypt passwords. Now that I know the difference I will start using crypt-md5 in place of MySQL's MD5() or CRYPT() on everything. I had never really researched encryption so I always used one of those 2 methods.

Figured I would post this in case anyone else has the same problem. Once again, thanks Till.
Reply With Quote
  #8  
Old 8th February 2012, 00:41
patrick3853 patrick3853 is offline
Member
 
Join Date: Dec 2008
Posts: 30
Thanks: 3
Thanked 7 Times in 3 Posts
 
Default

So actually, there's one thing I still don't understand. How does postfix/sasl/courier authenticate the password without knowing the salt?

For example, if I'm using php and do crypt('password', '$1$saltvalue$1') to generate a hash and store it in a db, when I go to check a user's login and compare what they typed against the hash stored in the db, would I not have to know what "saltvalue" is in order to compare the hashes? i.e.

Code:
if (crypt($_POST['password'], '$1$saltvalue$') == $hash_from_db)
{
   // log user in
}
So how can postfix, etc authenticate the password without knowing the salt value? Does it somehow figure out the salt based on the plain password provided and the hash, or is there a default salt (say first 6 characters of the password) and ISPConfig uses that same method so it happens to work with postfix, etc.?

This may be something basic but I'm very new to the salt concept and what I found on google said you needed the salt value to compare a user provided password with the stored hash. I've got everything working but it just drives me crazy when I don't understand how something works lol.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Migrate email accounts from old linux to new server with ISPConfig3 archbird Server Operation 1 4th November 2010 17:51
Problems with installing SSL-certifates on ISPConfig3 slaveservers Hans General 4 5th October 2010 12:22
Migrate mail users from one ispconfig3 server to another grungy General 11 15th June 2010 10:24
amavis rejects all inbound emails aclhkaclhk Installation/Configuration 5 28th February 2010 04:24
How Can I migrate my current ISPCONFIG3 to Another Server? filipealvarez General 11 8th July 2009 19:12


All times are GMT +2. The time now is 01:56.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.