Articles in this section

How to hash all the existing email accounts passwords in Plesk that still use symmetric encryption?

Rangel Sardinha
Updated
kb: how-to

Question

How to hash all the existing email accounts passwords in Plesk that still use symmetric encryption?

Answer

A new feature that allows password hashing for newly created email accounts and when their passwords are changed was added in Plesk 18.0.72. The Mass Email Accounts Passwords Hash script can be used to hash existing email accounts passwords that are stored in a symmetrically encrypted form.
 

All email account passwords that were saved with symmetric encryption will be hashed once the command is run. The plaintext form of these passwords will not change. 

Warning: Because this operation is irreversible, it is highly advised to create a system database backup before executing this script.

Warning: If the SOGo extension is installed and being used on the server as a webmail client in place of RoundCube, do not execute this script. SOGo does not currently support hashed passwords, and the execution of the script may result in the loss of authentication for email accounts in SOGo.

  1. Connect to the Plesk server via SSH.
  2. Create a system database backup.

  3. Download the following script:

    # wget https://raw.githubusercontent.com/plesk/kb-scripts/master/hash-sym-email-accounts-passwords/hash-sym-email-accounts-passwords.sh && chmod +x hash-sym-email-accounts-passwords.sh

  4. Execute the downloaded script:

    # bash hash-sym-email-accounts-passwords.sh

Related to

Was this article helpful?

Comments

2 comments
Date Votes
  • Avatar
    Jon Doe

    There are several things this script could be improved:

    1. Always print out the info where to find the log file
    2.  Print out errors directly, instead of hiding it in the log, e.g.
      "Your password is not complex enough. According to the server policy, the minimal password strength is Strong (recommended)."
    3.  If a password is not complex enough, it optionally (use command line parameter) should still be hashed. Still safer than without.
    4. Print out a warning if not all passwords were hashed. At the moment, subsequent runs will show the same number again and again, and also show "Done!" although they obviously didn't do anything.
    5. Should convert accounts that are deactivated. Why is this not done already?
    6. Error:
      Unable to find domain with name 'example.com'
      exit status 4
      Exists as an alias, but Mail service is disabled
      --> I needed to enable Mail Service temporarily. Hashing was then already done automatically. After disabling the Mail Service again, the entry vanished from /usr/local/psa/admin/sbin/mail_auth_view
    7. Slightly different error for a domain that is not an alias where the Mail Service is disabled. Hashing needed to be done by the script. There was no automatic hashing as there was for the alias domain.
    8. A small number of passwords were not shown as producing an error but the password wasn't hashed either. No idea what the reason might be. Simply took the unhashed password from /usr/local/psa/admin/sbin/mail_auth_view and set it as the password for the email adress via GUI.
    9. Error:
      Hashing password for medienspiegel@verylonglonglonglon......
      Failed to convert domain name from IDN to Punycode
      --> Why is the domain name truncated? There are several domains with different endings and I cannot see which one is affected. Also, none of these domains is an IDN so probably some kind of false positive.
    10. Flags are shown as:
         A - account disabled
         D - domain disabled
         E - password encrypted
      --> E should be "hashed" and not "encrypted"! Password were encrypted before, with this script they get hashed.
       
    1
  • Avatar
    Jon Doe
    (Edited )

    Warning: After hashing passwords, users trying to login with CRAM-MD5 will not be able to authenticate! For SMTP, there will be errors in the mail log: “SASL CRAM-MD5 authentication failed: authentication failure”

    Apple Mail uses CRAM-MD5 when set to “automatic”, so these users will get problems.

    CRAM-MD5 requires the server to know the actual password, not just the hashed value of the password.

    1

Please sign in to leave a comment.