Question New password hashing option for email accounts

[TorbHo]

Server operating system version

Ubuntu 24

Plesk version and microupdate number

18.0.72

Hi everyone,

I just read in the Plesk changelog for 18.0.72:

(Plesk for Linux) You now have the option to use hashing for email-account passwords instead of symmetric encryption. This option is enabled by default. To disable password hashing and re-enable symmetric encryption, add the following lines to the panel.ini file:

[passwordManagement]
features.allowAdminAliasPasswordHashing = false

My understanding is the following:

• Hashing is now the default setting.
• This applies not only to new installations, but also to existing ones after updating Plesk.
• Newly set passwords will be hashed, while existing passwords remain symmetrically encrypted until they are changed.
• If I add the lines above to panel.ini, Plesk will revert to the old behavior (symmetric encryption).

Did I get this right?

Will existing email account passwords automatically re-saved as hashes after the update, or only when the user/admin actively changes the password?

Thanks in advance for clarifying!

 

[Bitpalast]

Great question!

I'd like to add: Does this mean, that in the future the "plesk sbin mail_auth_view" will become obsolete?

 

[mizar]

Hello,

The RN entry is a bit misleading, we will update it. Regarding the questions:

> Hashing is now the default setting.
> This applies not only to new installations, but also to existing ones after updating Plesk.

No, it is not default yet. You need to go to Tools & Settings -> Security policy and explicitly select Hashing in Storing email passwords section. Or you can use plesk bin server_pref CLI utilty with email-password-hashing parameter. Symmetric encryption is still default for new and upgraded installations.

> Newly set passwords will be hashed, while existing passwords remain symmetrically encrypted until they are changed.

Yes. If you need hash existing password, you can you instructions from KB article.

> If I add the lines above to panel.ini, Plesk will revert to the old behavior (symmetric encryption).

No, the panel.ini setting `passwordManagement.features.allowEmailPasswordHashing` only affects visibility of the feature. If it set to the fase, appropriate section will disappear in Tools & Settings -> Security policy and in plesk bin server_pref.

> Does this mean, that in the future the "plesk sbin mail_auth_view" will become obsolete.

As hashed passwords cannot be decrypted, mail_auth_view will unable to show plain password.

 

[GerdSchrewe]

Why do you confuse customers more and more with every update? Plesk is also used by many customers and non-experts as simple, easy-to-understand management software.
For quite some time now, I no longer perform updates automatically, but instead wait to see which bugs need to be fixed first—just like with the second-to-last update, when no website was accessible anymore (421 Misdirected Request).
Please check more carefully before releasing an update.
It would be better to release fewer updates and provide clearer explanations

 

[ChristophRo]

hmm, using hashed passwords but still advertising DIGEST-MD5/CRAM-MD5 screams for disaster....

...but so does disabling DIGEST-MD5/CRAM-MD5 on a server that is already "in use" by customers