• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Force password encryption for mail users

Klaas_Chielens

New Pleskian
I have searched the forums but could not find a solution to this.

I have plesk12 set up but when i set a mail (dovecot) password, it gets stored in plain text (which I can verify by running /usr/local/psa/admin/sbin/mail_auth_view ). I would like to change this default setting to be encrypted.

How can I do this?
Thank you!
 
/usr/local/psa/admin/sbin/mail_auth_view utility just show decrypted passwords. Actually passwords are sym encrypted. Look:

# plesk db 'select concat(m.mail_name,"@",d.name) as mail, a.type as "passwd type", a.password from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id;'
+--------------------------------+-------------+----------------------------------------------------------------+
| mail | passwd type | password |
+--------------------------------+-------------+----------------------------------------------------------------+
| [email protected] | sym | $AES-128-CBC$vCWLMH2KVDb76J0GBPMNOw==$2y1hW4QRdG5Nop+GqEzgbQ== |
| [email protected] | sym | $AES-128-CBC$f/ansciRosH1AaZ1UJIGNQ==$axDKgZO+4DgSUbfvEpIjiA== |
+--------------------------------+-------------+----------------------------------------------------------------+

# /usr/local/psa/admin/sbin/mail_auth_view
Authentication database contents:
+--------------------------------------+-----+--------------------------------------+
| address |flags| password |
+--------------------------------------+-----+--------------------------------------+
| [email protected] | | setup |
| [email protected] | | ben1984 |
+--------------------------------------+-----+--------------------------------------+

Flag E means that you have hash of password but not password. Usually it occurs after migration from other server.
 
So question on that. I have a utility that mail administrators use to retrieve their users passwords in plain-text.
I need to keep that utility. Currently it gets it from the database (I haven't migrated to a new server yet and can't if it forces all passwords to be encrypted).

If I use the "mail_auth_view" utility, I can retrieve the passwords in plain-text?
 
/usr/local/psa/admin/sbin/mail_auth_view utility just show decrypted passwords. Actually passwords are sym encrypted. Look:

# plesk db 'select concat(m.mail_name,"@",d.name) as mail, a.type as "passwd type", a.password from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id;'
+--------------------------------+-------------+----------------------------------------------------------------+
| mail | passwd type | password |
+--------------------------------+-------------+----------------------------------------------------------------+
| [email protected] | sym | $AES-128-CBC$vCWLMH2KVDb76J0GBPMNOw==$2y1hW4QRdG5Nop+GqEzgbQ== |
| [email protected] | sym | $AES-128-CBC$f/ansciRosH1AaZ1UJIGNQ==$axDKgZO+4DgSUbfvEpIjiA== |
+--------------------------------+-------------+----------------------------------------------------------------+

# /usr/local/psa/admin/sbin/mail_auth_view
Authentication database contents:
+--------------------------------------+-----+--------------------------------------+
| address |flags| password |
+--------------------------------------+-----+--------------------------------------+
| [email protected] | | setup |
| [email protected] | | ben1984 |
+--------------------------------------+-----+--------------------------------------+

Flag E means that you have hash of password but not password. Usually it occurs after migration from other server.

So is there a way to change the system such that no decryption is possible at all? I'd prefer one-way encryption to not be able to know any user passwords at all!
 
B_P, that's what the system does. When you export/import, the new system will only use a one-way hash.

To preserve the NO ENCRYPTION, you need to do an in-place upgrade. A new install will force the one-way hash.
I want my email to have NO ENCRYPTION, totally disabled. I want it plain-text.
I'd like to find out how to DISABLE ENCRYPTION that the new software forces you into. What settings/procedure can I do to restore a fresh system to the old NO ENCRYPTION policy?
Our customers require the ability to access their users passwords. The users are morons and forget them all the time.
 
B_P, that's what the system does. When you export/import, the new system will only use a one-way hash.

To preserve the NO ENCRYPTION, you need to do an in-place upgrade. A new install will force the one-way hash.
I want my email to have NO ENCRYPTION, totally disabled. I want it plain-text.
I'd like to find out how to DISABLE ENCRYPTION that the new software forces you into. What settings/procedure can I do to restore a fresh system to the old NO ENCRYPTION policy?
Our customers require the ability to access their users passwords. The users are morons and forget them all the time.

Galaxy, if you read IgorG's message, you see that passwords are symmetrically encrypted. I.e., the passwords are stored in an encrypted way in the database. If you know the way they are encrypted as well as the key, you should be able to decrypt the passwords. By parsing the output of the mail_auth_view tool or by manually decrypting the passwords (key is stored in /etc/psa/private/secret_key, there are solutions for this if you search for "Decrypt Plesk 11 passwords") you should be able to decrypt the passwords. However, I'd rather define new passwords than telling customers the old one...

In my case, I don't want to have the possibility to decrypt passwords at all (i.e., no symmetric encryption). There's a simple reason for this: We all know that people tend to use the same password for multiple services. Thus, if one service gets compromised, the attacker may try to use this information to log into other services as well. To prevent such a scenario when the Plesk server gets compromised, I'd like to get rid of the chance to decrypt passwords at all! IgorG, is there a chance to change the system behavior?
 
Well, this issue seems to persist even for Plesk Onyx 17.5 as we can see in Encrypt Email passwords even for root.
Does Plesk in general support one-way cryptographic password hash functions for passwords? If yes - that seems to be an issue when updating from an older Plesk version...?
 
Back
Top