Postfix mailbox -> Qmail Maildir conversion FreeBSD hash -> MD5 hash in vpopmail compatibility?

Hi all. I am migrating a server from Postfix with mailboxes (system users) to Qmail with Maildirs (virtual users). I'm using vpopmail for the backend.

The postfix accounts are on FreeBSD of which i have the salted hashes. Preferably i migrate these accounts without the users having to change their password. Is Vpopmail compatible? From what i understand, the MD5 hash in vpopmail is not salted. Is there any way to make it compatible? Or is there any other way you can suggest  to make this work without the users having to change their password?
LVL 13
Xyptilon2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK... some basic cryptography here... You cannot take a hashed value of someone's password and "convert it" to the same password that uses a different hash. This applies to salted vs. unsalted hashes just as much as if you were converting from an MD5 hash to an SHA1 hash. Sorry to bring you bad news, but you're going to have to make them change their passwords for this one.

I'm assuming you've already concerned yourself with the mbox to maildir transformation... that is sometimes NOT trivial! (if not, see http://perfectmaildir.home-dn.net for a perl script that can perform the task on a per-mailbox basis. Based upon its command-line interface, writing a bash shell front end for your entire domain shouldn't be a problem.

I hope this helps...

Dan
IT4SOHO
0
Xyptilon2Author Commented:
Hi it4soho, thanks for the reply. Yes I know the hashes cannot be converted and brute forcing them only results a number of the passwords, some are too strong. My question was more, (but perhaps wrongly phrased) about whether vpopmail can support these FreeBSD hashes instead of the normal MD5 hash?
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Ah... well then, I believe that there is a significant misunderstanding here.

In general, VPopMail uses a MySQL database backend for email accounts. It's actually one of the best arguments FOR using VPopMail -- email users do not HAVE to have a user account! This is one reason why the default access method for VPopMail is to use the entire email address (instead of just the user name) -- thus, the auth username for VPopmail is user@mydomain.tld, not just user. (Like all things *nix, this too can be changed so that there is a default domain name applied).

So, unless you're trying to force VPopMail to use the Debian User Database (or make Debian use the vpopmail email user database), then its a moot point.

Now, if user security is an issue, we have another problem: VPopMail stored both a hashed AND a cleartext copy of the email account password in the MySQL database. This is to allow Admins to be able to TELL users their passwords. If you want that turned off, there is a simple patch to disable the cleartext copy.

You may want to checkout a couple of qmail on debian websites:

http://wiki.debian.iuculano.it/quick_howto
http://www.debian-administration.org/articles/416

In addition, you may be interested in the QMail Toaster project. While it doesn't support Debian specifically, since all of the RPM packages are SRC packages, if you're a talented Debian Admin, you could probably get them all to install & work in about a day. The Qmail Toaster project is on the web at http://www/qmailtoaster.com

Good Luck!

Dan
it4soho
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Xyptilon2Author Commented:
The things is, we've two mailservers running now with several thousand domains and tens of thousand of popboxes. all a patched qmail + vpopmail, all working great :)

Now we have 1 postfix server with system users, less than 50 mailboxes that we want to migrate to our other platform, preferably without letting them change their passwords....

But judging from what i read, that doesnt look like it's going to be easily feasible.
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Hmmmm... definitely not... the QMail/VPopMail solution does not have a facility (that I am aware of) that will use the system auth vs. the MySQL auth.

Have you thought about making the QMail server just a scanner for that one domain? Make the DNS MX entries point to the QMail server, but make an entry in the SMTPROUTES file (probably in /var/qmail/control) that forces all mail for that domain to go to your PostFix server. The entry might look like:

    mypostfixdomain.tld:postfix-server.local

where postfix-server.local resolves to your postfix server.

In addition, you'll need to make the entry in RCPTHOSTS (also most likely in /var/qmail/control) so that QMail knows to accept & route mail for that domain.

That way, users could still send & receive messages on the postfix server they're used to, but inbound messages would go through the QMail system (which presumably has SPAM & virus filtering enabled).

If that's not a viable option, then I hate to be the bearer of bad news, but in the words of the old New Hampshire Democrat: "Ya con't get they-a from heeya" (say it out loud, and remember the THICK NE accent,  if you don't get it). You'll need to have those users reconfigure their clients to access QMail on the new server with both username & password changes.

Good luck!

Dan
IT4SOHO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Xyptilon2Author Commented:
Not what i wanted to hear... yeah i know i can use smtproutes, but the idea is to get rid of the postfix server alltogether...anyway thanks :) we'll just generate new passwords.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.