change mailuser password hash algorithm

Discussion in 'Installation/Configuration' started by gring, Apr 9, 2009.

  1. gring

    gring HowtoForge Supporter

    Hi,

    Where can I set the hash algorithm used to store the mailusers passwords (and ftp users too)?

    I'd like to store them in clear instead of crypt, for future migrations.

    And by the way, where can I find a list of the "special words" ( [domain], [client_id] etc...) that are usable in the server config menu?

    Thanks
     
  2. till

    till Super Moderator

    The algorithm can be set in the form definition file of the iterface form, e.g. mail user form.

    It is a very big security risk and you should not do this.

    there is no such list.
     
  3. gring

    gring HowtoForge Supporter

    Hi Till, Thanks for your answer.

    For those who want to do the same thing, look for the file

    mail_user.tform.php

    and then, inside the file, look for "CRYPT" and replace it by "CLEARTEXT"

    Now, I will try to make the list of the special words and post it in the forum.

    Thanks!
     
  4. gring

    gring HowtoForge Supporter

    note that, when, using courier, you have to:

    edit courier's mysql auth config file (/etc/courier/authmysqlrc in Debian / Ubuntu)

    comment the line "MYSQL_CRYPT_PWFIELD password"
    and uncomment the line "MYSQL_CLEAR_PWFIELD password"
     
  5. gring

    gring HowtoForge Supporter

    Hum...This creates a problem with Postfix sasl auth.

    the file /etc/postfix/sasl/smtpd.conf contains the configuration for smtp authentification, but I can't find where the mail_user 's password hash algorithm is defined.
     
  6. gring

    gring HowtoForge Supporter

    one dirty way would be to modify the sql command in /etc/postfix/sasl/smtpd.conf to make mysql crypt the password when asked for it, but how do I do that? encrypt(password) doesn't seem to work...

    help!
     
  7. gring

    gring HowtoForge Supporter

    setting "crypt=0" in the two lines of /etc/pam.d/smtp seems to do the trick...
     
  8. till

    till Super Moderator

    Please be aware that this is very insecure! ISPConfig encrypts the passwords with crypt and salt to ensure that nobody can decrypt them, if you store them unenecrypted and someone hacks your server he weill get all passwords in a format that he might use to attack other services as many poeple tend to use the same password for different websites.
     
  9. gring

    gring HowtoForge Supporter

    Hum, I tried to install the roundcube password plugin, but the passwords are stored encrypted through it.

    What should I change so the mail_user passwords are stored in CLEARTEXT? Is it in ./interface/lib/classes/remoting_lib.inc.php ?

    Thanks!
     
  10. till

    till Super Moderator

    You should never store user passwords in cleartext. Storing passwords in cleartext is a security nightmare, so never do this. Users tend to use the same password for a lot of things, so if someone might hack your server or get access to your database, then he might get passwords for e.g. paypal or other payment realted things too in cleartext.
     
  11. gring

    gring HowtoForge Supporter

    I'm very aware of that, but this is for a small, particular server, where the users don't put their secure passwords and use these accounts only for particular purposes. It's not something I would do on a large server with a lot of people.

    Anyway, for a big server, I would instead store the passwords with a reversible encryption (like many installations of vpopmail) with a key stored out of the database, or send the passwords to a write only and secured database before encrypting them.
    So, it would still be good to know how to set the hash algorithm.
     
  12. till

    till Super Moderator

    You will have to set the encryption in the form files to cleartext.

    Thats not secure either, as a hacker can simply use the master password to decrypt the user passwords. Its a bit more save then then cleartexts but still nothing that should be used on a production system. Or you need a good insurance if your users will start to sue you and you should ask your insurance first if they would even pay when you use a reversible encryption ;)
     

Share This Page