Solved

Postfix mailbox -> Qmail Maildir conversion FreeBSD hash -> MD5 hash in vpopmail compatibility?

Posted on 2008-10-28
6
1,468 Views
Last Modified: 2013-12-16
Hi all. I am migrating a server from Postfix with mailboxes (system users) to Qmail with Maildirs (virtual users). I'm using vpopmail for the backend.

The postfix accounts are on FreeBSD of which i have the salted hashes. Preferably i migrate these accounts without the users having to change their password. Is Vpopmail compatible? From what i understand, the MD5 hash in vpopmail is not salted. Is there any way to make it compatible? Or is there any other way you can suggest  to make this work without the users having to change their password?
0
Comment
Question by:Xyptilon2
  • 3
  • 3
6 Comments
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
OK... some basic cryptography here... You cannot take a hashed value of someone's password and "convert it" to the same password that uses a different hash. This applies to salted vs. unsalted hashes just as much as if you were converting from an MD5 hash to an SHA1 hash. Sorry to bring you bad news, but you're going to have to make them change their passwords for this one.

I'm assuming you've already concerned yourself with the mbox to maildir transformation... that is sometimes NOT trivial! (if not, see http://perfectmaildir.home-dn.net for a perl script that can perform the task on a per-mailbox basis. Based upon its command-line interface, writing a bash shell front end for your entire domain shouldn't be a problem.

I hope this helps...

Dan
IT4SOHO
0
 
LVL 13

Author Comment

by:Xyptilon2
Comment Utility
Hi it4soho, thanks for the reply. Yes I know the hashes cannot be converted and brute forcing them only results a number of the passwords, some are too strong. My question was more, (but perhaps wrongly phrased) about whether vpopmail can support these FreeBSD hashes instead of the normal MD5 hash?
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Ah... well then, I believe that there is a significant misunderstanding here.

In general, VPopMail uses a MySQL database backend for email accounts. It's actually one of the best arguments FOR using VPopMail -- email users do not HAVE to have a user account! This is one reason why the default access method for VPopMail is to use the entire email address (instead of just the user name) -- thus, the auth username for VPopmail is user@mydomain.tld, not just user. (Like all things *nix, this too can be changed so that there is a default domain name applied).

So, unless you're trying to force VPopMail to use the Debian User Database (or make Debian use the vpopmail email user database), then its a moot point.

Now, if user security is an issue, we have another problem: VPopMail stored both a hashed AND a cleartext copy of the email account password in the MySQL database. This is to allow Admins to be able to TELL users their passwords. If you want that turned off, there is a simple patch to disable the cleartext copy.

You may want to checkout a couple of qmail on debian websites:

http://wiki.debian.iuculano.it/quick_howto
http://www.debian-administration.org/articles/416

In addition, you may be interested in the QMail Toaster project. While it doesn't support Debian specifically, since all of the RPM packages are SRC packages, if you're a talented Debian Admin, you could probably get them all to install & work in about a day. The Qmail Toaster project is on the web at http://www/qmailtoaster.com

Good Luck!

Dan
it4soho
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 13

Author Comment

by:Xyptilon2
Comment Utility
The things is, we've two mailservers running now with several thousand domains and tens of thousand of popboxes. all a patched qmail + vpopmail, all working great :)

Now we have 1 postfix server with system users, less than 50 mailboxes that we want to migrate to our other platform, preferably without letting them change their passwords....

But judging from what i read, that doesnt look like it's going to be easily feasible.
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
Comment Utility
Hmmmm... definitely not... the QMail/VPopMail solution does not have a facility (that I am aware of) that will use the system auth vs. the MySQL auth.

Have you thought about making the QMail server just a scanner for that one domain? Make the DNS MX entries point to the QMail server, but make an entry in the SMTPROUTES file (probably in /var/qmail/control) that forces all mail for that domain to go to your PostFix server. The entry might look like:

    mypostfixdomain.tld:postfix-server.local

where postfix-server.local resolves to your postfix server.

In addition, you'll need to make the entry in RCPTHOSTS (also most likely in /var/qmail/control) so that QMail knows to accept & route mail for that domain.

That way, users could still send & receive messages on the postfix server they're used to, but inbound messages would go through the QMail system (which presumably has SPAM & virus filtering enabled).

If that's not a viable option, then I hate to be the bearer of bad news, but in the words of the old New Hampshire Democrat: "Ya con't get they-a from heeya" (say it out loud, and remember the THICK NE accent,  if you don't get it). You'll need to have those users reconfigure their clients to access QMail on the new server with both username & password changes.

Good luck!

Dan
IT4SOHO
0
 
LVL 13

Author Closing Comment

by:Xyptilon2
Comment Utility
Not what i wanted to hear... yeah i know i can use smtproutes, but the idea is to get rid of the postfix server alltogether...anyway thanks :) we'll just generate new passwords.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now