Migrate mail_user passwords from ISPConfig3

Discussion in 'General' started by patrick3853, Feb 6, 2012.

  1. patrick3853

    patrick3853 New Member

    Quick question,

    I have installed and configured a new virtual email server based off this tutorial with a few changes:


    I have an existing server with ISPConfig3 and several hundred email accounts. Migrating the virtual emails accounts is pretty straight forward, but I'm stuck on the `password` field in the `mail_user` table. I have used MySQL's CRYPT function without any salt for `password` in my user table on the new server. This does not appear to be the same method ISPConfig3 is using in its `mail_user` table. Does it use a different encryption function and/or is any salt used? I want to use the same encryption method for the `password` field on my new server so I can simply import `email` and `password` from `mail_user` to the table on my new server. Thanks in advance for any help!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses crypt with salt. The crypt method is named crypt-md5 and is the default that is used by most linux distributions e.g. for /etc/passwd
  3. patrick3853

    patrick3853 New Member

    Thanks Till. How can I find the salt that is used? I really don't want to ask several hundred email users to reset passwords.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    There is a description of the several crypt mechanisms avaialble on wikipedia:


    A crspt string is separated in 3 parts by the $ char, like $1$aaaaaaaa$bbbbbbbbb The first number (here 1) is the encryption mechanism while the aaaaa is the salt and the bbbbb is the resulting encrypted password.
  5. patrick3853

    patrick3853 New Member

    Thanks but I'm still a little confused. I have limited experience with encryption but I glanced at all the passwords in mail_user and they don't look anything like regular md5 hashes. This what i typically use by calling MD5('password'). What I'm looking for is the MySQL function I would call on a password value to generate the exact same encrypted value that 'password' would have in ISPConfig3's mail_user.

    For example, do I call ENCRYPT('password'), do I need to provide a salt value as the second argument, or do I use an entirely different function?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    They are crypt-md5 hashes, not md5 hashes. Please read the wikipedia article if you like to know more about the encryption mechanisms on linux servers. You can crwate crypt passwords with the php crypt function and postfix, sasl, dovecot and courier have native support for this encryption, so you dont need a mysql command for it. Storing passwords as plain crypt is not secure against dictnary attacks, thst why it is not used for linux passworss and not used by ispconfig as well.
  7. patrick3853

    patrick3853 New Member

    Okay, I understand now. I was thinking that since CRYPT('password') did not create the same value as what was stored for 'password' in ISPConfig3's `mail_user` that the authentication would not work.

    What I just discovered is postfix/sasl/courier can authenticate with any of the different crypt methods. So actually, i can copy over the user and password field from mail_user to my email server's db yet use mysql's CRYPT('password') for any new passwords created and the authentication will work for both of them.

    Sorry, this the first virtual email server I have set up manually without using ISPConfig so I was confused about how the authentication works. Thanks for the quick education on crypt passwords. Now that I know the difference I will start using crypt-md5 in place of MySQL's MD5() or CRYPT() on everything. I had never really researched encryption so I always used one of those 2 methods.

    Figured I would post this in case anyone else has the same problem. Once again, thanks Till.
  8. patrick3853

    patrick3853 New Member

    So actually, there's one thing I still don't understand. How does postfix/sasl/courier authenticate the password without knowing the salt?

    For example, if I'm using php and do crypt('password', '$1$saltvalue$1') to generate a hash and store it in a db, when I go to check a user's login and compare what they typed against the hash stored in the db, would I not have to know what "saltvalue" is in order to compare the hashes? i.e.

    if (crypt($_POST['password'], '$1$saltvalue$') == $hash_from_db)
       // log user in
    So how can postfix, etc authenticate the password without knowing the salt value? Does it somehow figure out the salt based on the plain password provided and the hash, or is there a default salt (say first 6 characters of the password) and ISPConfig uses that same method so it happens to work with postfix, etc.?

    This may be something basic but I'm very new to the salt concept and what I found on google said you needed the salt value to compare a user provided password with the stored hash. I've got everything working but it just drives me crazy when I don't understand how something works lol.

Share This Page