Switching from MD5 to CRAM-MD5 for passwords stored in DB

[Izzy]

I'm considering to switch from MD5 to CRAM-MD5 for passwords stored in DB (which is one of the reasons for this post as well), mainly for the following reason:

With MD5 in the DB, clients can only use PLAIN/LOGIN for auth. While this is no issue on encrypted sessions (HTTPS/SMTPS/POP3S/IMAPS), and I possibly can enforce HTTPS for the web mailer (Roundcube), for some people it's too complicated to configure IMAPS/POP3S/SMTPS (with their clients defaulting to unencrypted traffic). Postfix would reject PLAIN/LOGIN then (which per-se is very good), but it would complicate matters. I want the server to be as safe as possible, so storing plain-text passwords in the DB is of course no option.

Now my question: Provided I know all the passwords involved, what would be the best approach for "switching over" without having any components "fail"? A short "offline-time" is of course a given, while the process is running, and that's OK.

For some additional details, you can also see my post on Stack Exchange: Postfix + Dovecot with MySQL backend: md5-hashed passwords and CRAM-MD5 auth

Thanks in advance!

[Izzy]

I've meanwhile solved that in a self-experiment (see the linked Stack Exchange post). Procedure, in short:

• Dovecot: change default_pass_scheme from MD5-CRYPT to CRAM-MD5 in your /etc/dovecot/dovecot-mysql.conf (or the corresponding file you're using), then add cram-md5 to auth_mechanisms in /etc/dovecot/dovecot.conf
• Postfix: In my case, Postfix uses Dovecot for auth via SASL (smtpd_sasl_type=dovecot) – so nothing to do here
• PostfixAdmin:
  • First login to the PostfixAdmin WebIF and stay logged in – or you won't be able to do so after the config changes :)
  • changes in config.inc.php: $CONF['encrypt'] = 'md5crypt'; must be changed to $CONF['encrypt'] = 'dovecot:CRAM-MD5';. Also check $CONF['dovecotpw'] = "/usr/sbin/doveadm pw"; – e.g. on Debian Wheezy, doveadm resides in /usr/bin and thus requires this setting to be adjusted
  • Now go to the PostfixAdmin WebIf (where you're still logged in) and update the user passwords: navigate to "Virtual lists", scroll to "Mailboxes", hit the "edit" link for each mailbox, and there store the "new password" (this means you either have to know their passwords – or set "some" password and have them update it later. No way to "convert" the existing password, to my knowledge).
    Repeat the same for the Admins via "Admin list" – or they/you won't be able to login again
• Restart mail services. Basically, it should suffice to restart Dovecot and, maybe, Postfix.

Done. Now you can verify if everything is still working. In my case it was: Roundcube was still able to auth PLAIN – and a remote client now was able to use CRAM-MD5. Case solved, for me.

[Simon Hobson]

I recall reading a post (could have been here, could have been elsewhere - not very helpful, sorry) about changing password schemes. Someone had written a script to do it as users logged in (POP/IMAP) with Dovecot.
He added an extra password field for the new scheme, and had Dovecot call a script when a user logged in. Because the password is passed across in clear text, the script had the cleartext password the user was using and so could populate the new password field in the DB.

After a while, all active users will then have their original password stored using the new scheme, and you can then fiddle with the config to make that the active scheme.
And of course, deal with those who never logged in during the generation phase who will now need the password resetting manually.

[Izzy]

Sounds good, Simon – thanks! In my case, it luckily were only a few users (migration from the "old system" is still to come), so I was rather concerned about possible side effects. Looks good so far on the VM I used – and on the "real-life server" I started with CRAM from the very beginning, to avoid the hazzle :)