SHA512-CRYPT for email

I am considering ways to migrate cPanel mailboxes to Hestia, cPanel uses SHA512-CRYPT to store the passwords in /home/account/etc/domain/shadow

Hestia uses MD5, if I edit /etc/dovecot/conf.d/auth-passwdfile.conf.ext & /etc/dovecot/dovecot-dict-auth.conf.ext, Hestia / Dovecot are happy with passwords hashed with SHA512-CRYPT

Anyone know if this will come back to bite me in unexpected ways?

Yes you can’t edit the passwords any more with Hestia as it still uses md5 for password encryption

And

So it uses by default crypt and not md5…

I just stumbled on another option. If the configuration files are unchanged but the passwd file specifies “SHA512-CRYPT”, dovecot will accept the hashed password, so if /home/jones/conf/mail/jonesoncrete.com/passwd looks like this:
test:{SHA512-CRYPT}$6$towo0IVjzBgZ0htU$uTFbyJ3aPunrhsEEC2alHz6SEuPyBdL3JYDWc6Z0ZtA2cMFjFVJNqAwn04OKQfsu99DNcDGu21zkvdYbsPmgJ0:jones:mail::/home/jones:0:userdb_quota_rule=*:storage=0M

Webmail will authenticate. More testing is needed, but this seems to be a better solution to my “problem”.

I checked with the Dovecot support group, /home/account/conf/mail/domain.com/passwd can have a mixture of MD5 & SHA512-CRYPT, so it should be able to keep the existing passwords.
Reference: Password Schemes

@KatyComputer you’re absolutely right, since everybody in the mail ecosystem (roundcube, rainloop, exim4, pop3/imap/smtp clients) ends up authenticating to dovecot, and dovecot can handle the mixed passwd file, there’s no problem.

I go one step further, and patch the two files that @eris mentioned, to create ARGON2ID passwords instead of hestia’s default MD5.

--- /usr/local/hestia/bin/v-add-mail-account    2021-01-14 22:03:18.396439707 +0200
+++ /usr/local/hestia/bin/v-add-mail-account    2021-01-14 22:03:24.500438000 +0200
@@ -57,8 +57,8 @@
 #----------------------------------------------------------#

 # Generating hashed password
-salt=$(generate_password "$PW_MATRIX" "8")
-md5="{MD5}$($BIN/v-generate-password-hash md5 $salt <<<$password)"
+set +H # disable ! style history substitution
+md5="$(doveadm pw -s ARGON2ID -p $password)"

 # Adding account info into password file
 if [[ "$MAIL_SYSTEM" =~ exim ]]; then
--- /usr/local/hestia/bin/v-change-mail-account-password        2021-01-14 22:03:45.864432138 +0200
+++ /usr/local/hestia/bin/v-change-mail-account-password        2021-01-14 22:03:49.860431056 +0200
@@ -54,8 +54,8 @@
 #----------------------------------------------------------#

 # Generating hashed password
-salt=$(generate_password "$PW_MATRIX" "8")
-md5="{MD5}$($BIN/v-generate-password-hash md5 $salt <<<$password)"
+set +H # disable ! style history substitution
+md5="$(doveadm pw -s ARGON2ID -p $password)"

 if [[ "$MAIL_SYSTEM" =~ exim ]]; then
     quota=$(get_object_value "mail/$domain" 'ACCOUNT' "$account" '$QUOTA')

It’s been more than a year that I do this, and have seen no incompatibility issues or problems so far.

2 Likes

Thanks :slight_smile:

I have made some aditional changes for password reset in Roundcube…

3 Likes

Great improvement, thx.

Note: I discussed this issue almost 2 years ago:

A problem with switching to ARGON2ID is that it isn’t supported by Debian 9 … (I just checked with stock Dovecot 2.2.27 and got Fatal: Unknown scheme: ARGON2ID error).

Also on Ubuntu 18.04 …