Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Postfix mailbox -> Qmail Maildir conversion FreeBSD hash -> MD5 hash in vpopmail compatibility?

Posted on 2008-10-28
6
Medium Priority
?
1,523 Views
Last Modified: 2013-12-16
Hi all. I am migrating a server from Postfix with mailboxes (system users) to Qmail with Maildirs (virtual users). I'm using vpopmail for the backend.

The postfix accounts are on FreeBSD of which i have the salted hashes. Preferably i migrate these accounts without the users having to change their password. Is Vpopmail compatible? From what i understand, the MD5 hash in vpopmail is not salted. Is there any way to make it compatible? Or is there any other way you can suggest  to make this work without the users having to change their password?
0
Comment
Question by:Xyptilon2
  • 3
  • 3
6 Comments
 
LVL 21

Expert Comment

by:Daniel McAllister
ID: 22844535
OK... some basic cryptography here... You cannot take a hashed value of someone's password and "convert it" to the same password that uses a different hash. This applies to salted vs. unsalted hashes just as much as if you were converting from an MD5 hash to an SHA1 hash. Sorry to bring you bad news, but you're going to have to make them change their passwords for this one.

I'm assuming you've already concerned yourself with the mbox to maildir transformation... that is sometimes NOT trivial! (if not, see http://perfectmaildir.home-dn.net for a perl script that can perform the task on a per-mailbox basis. Based upon its command-line interface, writing a bash shell front end for your entire domain shouldn't be a problem.

I hope this helps...

Dan
IT4SOHO
0
 
LVL 13

Author Comment

by:Xyptilon2
ID: 22855833
Hi it4soho, thanks for the reply. Yes I know the hashes cannot be converted and brute forcing them only results a number of the passwords, some are too strong. My question was more, (but perhaps wrongly phrased) about whether vpopmail can support these FreeBSD hashes instead of the normal MD5 hash?
0
 
LVL 21

Expert Comment

by:Daniel McAllister
ID: 22868046
Ah... well then, I believe that there is a significant misunderstanding here.

In general, VPopMail uses a MySQL database backend for email accounts. It's actually one of the best arguments FOR using VPopMail -- email users do not HAVE to have a user account! This is one reason why the default access method for VPopMail is to use the entire email address (instead of just the user name) -- thus, the auth username for VPopmail is user@mydomain.tld, not just user. (Like all things *nix, this too can be changed so that there is a default domain name applied).

So, unless you're trying to force VPopMail to use the Debian User Database (or make Debian use the vpopmail email user database), then its a moot point.

Now, if user security is an issue, we have another problem: VPopMail stored both a hashed AND a cleartext copy of the email account password in the MySQL database. This is to allow Admins to be able to TELL users their passwords. If you want that turned off, there is a simple patch to disable the cleartext copy.

You may want to checkout a couple of qmail on debian websites:

http://wiki.debian.iuculano.it/quick_howto
http://www.debian-administration.org/articles/416

In addition, you may be interested in the QMail Toaster project. While it doesn't support Debian specifically, since all of the RPM packages are SRC packages, if you're a talented Debian Admin, you could probably get them all to install & work in about a day. The Qmail Toaster project is on the web at http://www/qmailtoaster.com

Good Luck!

Dan
it4soho
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 13

Author Comment

by:Xyptilon2
ID: 22869852
The things is, we've two mailservers running now with several thousand domains and tens of thousand of popboxes. all a patched qmail + vpopmail, all working great :)

Now we have 1 postfix server with system users, less than 50 mailboxes that we want to migrate to our other platform, preferably without letting them change their passwords....

But judging from what i read, that doesnt look like it's going to be easily feasible.
0
 
LVL 21

Accepted Solution

by:
Daniel McAllister earned 2000 total points
ID: 22870508
Hmmmm... definitely not... the QMail/VPopMail solution does not have a facility (that I am aware of) that will use the system auth vs. the MySQL auth.

Have you thought about making the QMail server just a scanner for that one domain? Make the DNS MX entries point to the QMail server, but make an entry in the SMTPROUTES file (probably in /var/qmail/control) that forces all mail for that domain to go to your PostFix server. The entry might look like:

    mypostfixdomain.tld:postfix-server.local

where postfix-server.local resolves to your postfix server.

In addition, you'll need to make the entry in RCPTHOSTS (also most likely in /var/qmail/control) so that QMail knows to accept & route mail for that domain.

That way, users could still send & receive messages on the postfix server they're used to, but inbound messages would go through the QMail system (which presumably has SPAM & virus filtering enabled).

If that's not a viable option, then I hate to be the bearer of bad news, but in the words of the old New Hampshire Democrat: "Ya con't get they-a from heeya" (say it out loud, and remember the THICK NE accent,  if you don't get it). You'll need to have those users reconfigure their clients to access QMail on the new server with both username & password changes.

Good luck!

Dan
IT4SOHO
0
 
LVL 13

Author Closing Comment

by:Xyptilon2
ID: 31510662
Not what i wanted to hear... yeah i know i can use smtproutes, but the idea is to get rid of the postfix server alltogether...anyway thanks :) we'll just generate new passwords.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question