• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Email Passwords hashed! how to retrive email password in plesk 11.0.9

Status
Not open for further replies.
F

FatanehE

Basic Pleskian
Hi to all,

I bought new dedicated server, with centos, I installed Plesk 11.0.9
I want to retrieve emails passwords with query in mysql but passwords are hashed,
I have another server with plesk 10 and passwords aren't hashed and I can find them easily.

how to prevent to hashed password in plesk database?

Thanks
 
Hint: Backup your domain and find mailbox passwords in backup XML file.
 
Nikolay. said:
BTW, why do you need passwords in the plain form?
Click to expand...

this server is hosting type.
we check all password every week because very persons use weak password and our server is going to hack.
also I want to have password of databases for export and ,,,,

but why does in my old server password didn't hash??!!
 
FatanehE said:
but why does in my old server password didn't hash??!!
Click to expand...

I guess because it was an older Plesk version.


You'll probably be pleased to know that in Plesk 11.5 server-wide password security policy (minimum complexity) applies to mail passwords as well.
 
Nikolay. said:
You'll probably be pleased to know that in Plesk 11.5 server-wide password security policy (minimum complexity) applies to mail passwords as well.
Click to expand...

this is all nice and fancy, but what if i transfer domains hosted in 9.5.4 to a 11.5 (because that's my upgrade plan)? what will happen to currently lowsec passwords? i can't just change passwords of 1000s of mailboxes, it will drive my users crazy and my users will drive ME crazy...
 
Policy obviously applies only to new passwords, at least for mail passwords. So... nothing bad will happen.
 
Nikolay. said:
What about 'em? :)

Why would you need to see your customers' passwords?
Click to expand...

well, I am at the same time server admin and helpdesk for all those who have accounts, webs, emails, whatever on my server, so I can see where he is coming from.

however I usually am the one who actually creates all those passwords, so I document them in a secure storage I have at home and can check them whenever needed.


what worries me most is this:
for what I have understood, passwords should now be secure, yet they are stored in plaintext in the backup XML? that's a security problem right there, or?
 
Guys, sorry for my mistake. Xml backup contains encrypted passwords. They are encrypted with server's key. Correct answer is using /usr/local/psa/admin/bin/mail_auth_view utility. For example:

mysql> select mail_name,name,password from mail left join domains on mail.dom_id = domains.id inner join accounts where mail.account_id = accounts.id and postbox='true' order by name asc, mail_name asc;
+-----------+------------+----------------------------------------------------------------+
| mail_name | name | password |
+-----------+------------+----------------------------------------------------------------+
| rt | tttest.gov | $AES-128-CBC$f9qDGZ0SZqJv3yoUd8pMSA==$uoVzaIWEz/dDyy6Nglf7mw== |
+-----------+------------+----------------------------------------------------------------+
1 row in set (0.00 sec)

# /usr/local/psa/admin/bin/mail_auth_view
Authentication database contents:
+--------------------------------------+-----+--------------------------------------+
| address |flags| password |
+--------------------------------------+-----+--------------------------------------+
| [email protected] | | vbn321 |
+--------------------------------------+-----+--------------------------------------+
Flags
A - account disabled
D - domain disabled
E - password encrypted
 
Sven L. said:
well, I am at the same time server admin and helpdesk for all those who have accounts, webs, emails, whatever on my server, so I can see where he is coming from.

however I usually am the one who actually creates all those passwords, so I document them in a secure storage I have at home and can check them whenever needed.
Click to expand...


I'm working as well as system/server admin and helpdesk but I've never come to idea to store clients DB pass. I mean, if problem occurs, you can always find, with you knowledge as server admin, db password in plain text under his domain, you just have to search for it. As simple as that is. Don't take that big responsibilty on yourself, if client forgot password just say, we don't store your password and change it too the new one, explain them how to change it by themself in future and that's it. If they will think all the time you have their password for email, it will be like, OOO YOU ARE STALKING US, reading all my bussiness emails....and you just don't want to end there and go with that conversation with your client. I mean, if you're really bad, you can always change pass in the panel and do what ever you want.

So yeah...I don't like this at all nor I'm supporting this.
 
Status
Not open for further replies.

Similar threads

K
Resolved How to create a database user with a known password hash
Replies
6
Views
3K
Kaspar
K
carlsson
Question Script to install mail account on Apple Mail
Replies
3
Views
400
austriadesign
austriadesign
B
Question How to get Docker Host IP - Password Pusher
Replies
3
Views
3K
BNO
B
M
Issue plesk backup with password not working
Replies
3
Views
809
Peter Debik
P
C
Question How to access main admin server on plesk if i forgot the password?
Replies
1
Views
755
Peter Debik
P
Back
Top