dovecotpw login issue

  • Christian Gastrell

    Hi everyone,

    I'm not quite sure if this is some kind of malfunction on my system or if it's a bug. Explain:

    function pacrypt() takes CONF and does all the crypt routine. When you use dovecot:CRYPT-METHOD, checks for dovecotpw variable and executes the command via popen. The result will be saved on a temp file for reading and hash acquisition.

    Well, as i said, i don't know if it's me or there's a bug, but dovecotpw returns ALWAYS different hashes. So, when login.php uses pacrypt() to check if the password matches the one stored on the DB, the login obviously fails.
    I've tried dovecotpw with different args and it keeps returning different hashes for the same password. I'm temporarily using cleartexts till i make some more tests (i would prefer dovecot:MD5-CRYPT).
    Regarding this i have this comments:

    -The temp file wouldn't be even needed. If dovecotpw is used with -p PASSWORD it returns the hash without prompting twice for the password. Don't know which method is more secure, just a comment.
    -There is no detailed docs about dovecotpw as far as i know. Source should be checked for this but my kung fu isn't that powerful.
    -If dovecotpw is meant for random hashes then the routine at login must be changed.

    But then again… as is see i'm the only one with this problem it might be something only happening to me.

    Any ideas? Hints?

    Thanks in advance


  • Nathan Angelacos

    you mean:

    $dovecotpw -p opensesame -s md5-crypt
    $dovecotpw -p opensesame -s md5-crypt

    will return 2 different hashes? 

    It returns


    every time here.

  • Nathan Angelacos


    MD5-CRYPT returns different  values each time.  
    CRAM-MD5 returns the same value each time

  • Christian Gastrell


    thanks for answering, i'll give it a try with CRAM-MD5

    I think this should be mentioned in some documentation. The same goes for the fact of changing the auth mechanisms in dovecot, which forces you to change it the same way in postfixadmin which leads to failure to login. Of course this fixable by going to setup.php and create another super admin to be able to login. But then again, if you chose MD5-CRYPT you will never login again.

    I'd still be interested on other's experience about it, so if anyone reading can add their comments i'd really appreciate it.

    Thanks nangel

  • Christian Boltz

    Christian Boltz - 2010-02-13

    md5-crypt uses a salt (everything in front of the "--" in "{MD5-CRYPT}$1$011MLtQI$---o1JvhdQuw6jmPmRxjd9Gf.")

    Since dovecotpw doesn't accept a salt on the commandline (at least -help doesn't mention it), it is not surprising that you always get a different result because of the random salt.

    The good news: postfixadmin supports md5-crypt internally - just use $CONF = 'md5crypt'


    The temp file wouldn't be even needed. If dovecotpw is used with -p PASSWORD it returns the hash without prompting twice for the password. Don't know which method is more secure, just a comment.

    Never ever do this - if someone runs a "ps aux" at the right moment, he'll see your password.
    That said: Future releases of postfixadmin will not need a tempfile for dovecotpw. The code is in SVN already (both trunk and 2.3 branch) and will be included in 2.3.1.

  • Dominik Moreitz

    Dominik Moreitz - 2010-05-27

    Yeah, I see that too. It's causing login issues because I'm trying to use the dovecotpw generated password via MD5-CRYPT to authenticate, and it does not work.

  • Anonymous - 2010-06-01

    If you need md5crypt use

    $CONF['encrypt'] = 'system'

    ; If your system has md5 support (most likely), you can have salted md5 in your password column.

    However, it seems that all changes to passwords will be generated as CRYPT_STD_DES, as postfixadmin generates a two character salt if no salt is given (on pasword). I changed the code on line 1144 of from:

    $salt = substr (md5 (mt_rand ()), 0, 2);


    $salt = "\$1\$" . substr (md5 (mt_rand()), 0, 8) . "\$";

    Now new passwords are CRYPT_MD5 also.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks