• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Force password encryption for mail users

K

Klaas_Chielens

New Pleskian
I have searched the forums but could not find a solution to this.

I have plesk12 set up but when i set a mail (dovecot) password, it gets stored in plain text (which I can verify by running /usr/local/psa/admin/sbin/mail_auth_view ). I would like to change this default setting to be encrypted.

How can I do this?
Thank you!
 
/usr/local/psa/admin/sbin/mail_auth_view utility just show decrypted passwords. Actually passwords are sym encrypted. Look:

# plesk db 'select concat(m.mail_name,"@",d.name) as mail, a.type as "passwd type", a.password from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id;'
+--------------------------------+-------------+----------------------------------------------------------------+
| mail | passwd type | password |
+--------------------------------+-------------+----------------------------------------------------------------+
| [email protected] | sym | $AES-128-CBC$vCWLMH2KVDb76J0GBPMNOw==$2y1hW4QRdG5Nop+GqEzgbQ== |
| [email protected] | sym | $AES-128-CBC$f/ansciRosH1AaZ1UJIGNQ==$axDKgZO+4DgSUbfvEpIjiA== |
+--------------------------------+-------------+----------------------------------------------------------------+

# /usr/local/psa/admin/sbin/mail_auth_view
Authentication database contents:
+--------------------------------------+-----+--------------------------------------+
| address |flags| password |
+--------------------------------------+-----+--------------------------------------+
| [email protected] | | setup |
| [email protected] | | ben1984 |
+--------------------------------------+-----+--------------------------------------+

Flag E means that you have hash of password but not password. Usually it occurs after migration from other server.
 
So question on that. I have a utility that mail administrators use to retrieve their users passwords in plain-text.
I need to keep that utility. Currently it gets it from the database (I haven't migrated to a new server yet and can't if it forces all passwords to be encrypted).

If I use the "mail_auth_view" utility, I can retrieve the passwords in plain-text?
 
IgorG said:
/usr/local/psa/admin/sbin/mail_auth_view utility just show decrypted passwords. Actually passwords are sym encrypted. Look:

# plesk db 'select concat(m.mail_name,"@",d.name) as mail, a.type as "passwd type", a.password from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id;'
+--------------------------------+-------------+----------------------------------------------------------------+
| mail | passwd type | password |
+--------------------------------+-------------+----------------------------------------------------------------+
| [email protected] | sym | $AES-128-CBC$vCWLMH2KVDb76J0GBPMNOw==$2y1hW4QRdG5Nop+GqEzgbQ== |
| [email protected] | sym | $AES-128-CBC$f/ansciRosH1AaZ1UJIGNQ==$axDKgZO+4DgSUbfvEpIjiA== |
+--------------------------------+-------------+----------------------------------------------------------------+

# /usr/local/psa/admin/sbin/mail_auth_view
Authentication database contents:
+--------------------------------------+-----+--------------------------------------+
| address |flags| password |
+--------------------------------------+-----+--------------------------------------+
| [email protected] | | setup |
| [email protected] | | ben1984 |
+--------------------------------------+-----+--------------------------------------+

Flag E means that you have hash of password but not password. Usually it occurs after migration from other server.
Click to expand...

So is there a way to change the system such that no decryption is possible at all? I'd prefer one-way encryption to not be able to know any user passwords at all!
 
B_P, that's what the system does. When you export/import, the new system will only use a one-way hash.

To preserve the NO ENCRYPTION, you need to do an in-place upgrade. A new install will force the one-way hash.
I want my email to have NO ENCRYPTION, totally disabled. I want it plain-text.
I'd like to find out how to DISABLE ENCRYPTION that the new software forces you into. What settings/procedure can I do to restore a fresh system to the old NO ENCRYPTION policy?
Our customers require the ability to access their users passwords. The users are morons and forget them all the time.
 
galaxy said:
B_P, that's what the system does. When you export/import, the new system will only use a one-way hash.

To preserve the NO ENCRYPTION, you need to do an in-place upgrade. A new install will force the one-way hash.
I want my email to have NO ENCRYPTION, totally disabled. I want it plain-text.
I'd like to find out how to DISABLE ENCRYPTION that the new software forces you into. What settings/procedure can I do to restore a fresh system to the old NO ENCRYPTION policy?
Our customers require the ability to access their users passwords. The users are morons and forget them all the time.
Click to expand...

Galaxy, if you read IgorG's message, you see that passwords are symmetrically encrypted. I.e., the passwords are stored in an encrypted way in the database. If you know the way they are encrypted as well as the key, you should be able to decrypt the passwords. By parsing the output of the mail_auth_view tool or by manually decrypting the passwords (key is stored in /etc/psa/private/secret_key, there are solutions for this if you search for "Decrypt Plesk 11 passwords") you should be able to decrypt the passwords. However, I'd rather define new passwords than telling customers the old one...

In my case, I don't want to have the possibility to decrypt passwords at all (i.e., no symmetric encryption). There's a simple reason for this: We all know that people tend to use the same password for multiple services. Thus, if one service gets compromised, the attacker may try to use this information to log into other services as well. To prevent such a scenario when the Plesk server gets compromised, I'd like to get rid of the chance to decrypt passwords at all! IgorG, is there a chance to change the system behavior?
 
Well, this issue seems to persist even for Plesk Onyx 17.5 as we can see in Encrypt Email passwords even for root.
Does Plesk in general support one-way cryptographic password hash functions for passwords? If yes - that seems to be an issue when updating from an older Plesk version...?
 
You must log in or register to reply here.

Similar threads

D
Question database user host restrictions
Replies
0
Views
99
David_VB
D
kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
578
kaw.one
kaw.one
Y
Resolved Mail doesn't work - Help needed
Replies
6
Views
1K
ybico
Y
K
Resolved How to create a database user with a known password hash
Replies
6
Views
3K
Kaspar
K
PeopleInside
Issue with Google Drive Backup
Replies
6
Views
500
PeopleInside
PeopleInside
Back
Top