I am considering ways to migrate cPanel mailboxes to Hestia, cPanel uses SHA512-CRYPT to store the passwords in /home/account/etc/domain/shadow
Hestia uses MD5, if I edit /etc/dovecot/conf.d/auth-passwdfile.conf.ext & /etc/dovecot/dovecot-dict-auth.conf.ext, Hestia / Dovecot are happy with passwords hashed with SHA512-CRYPT
Anyone know if this will come back to bite me in unexpected ways?
I just stumbled on another option. If the configuration files are unchanged but the passwd file specifies “SHA512-CRYPT”, dovecot will accept the hashed password, so if /home/jones/conf/mail/jonesoncrete.com/passwd looks like this:
test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:jones:mail::/home/jones:0:userdb_quota_rule=*:storage=0M
Webmail will authenticate. More testing is needed, but this seems to be a better solution to my “problem”.
I checked with the Dovecot support group, /home/account/conf/mail/domain.com/passwd can have a mixture of MD5 & SHA512-CRYPT, so it should be able to keep the existing passwords.
Reference: Password Schemes
@KatyComputer you’re absolutely right, since everybody in the mail ecosystem (roundcube, rainloop, exim4, pop3/imap/smtp clients) ends up authenticating to dovecot, and dovecot can handle the mixed passwd file, there’s no problem.
I go one step further, and patch the two files that @eris mentioned, to create ARGON2ID passwords instead of hestia’s default MD5.
A problem with switching to ARGON2ID is that it isn’t supported by Debian 9 … (I just checked with stock Dovecot 2.2.27 and got Fatal: Unknown scheme: ARGON2ID error).