Recently, I’ve come across a small side project where a customer needed to put down their ancient mail server based on IPConfig (using Courier as IMAP/user backend).
Migrating passwords
Switching mail systems usually includes users to change their passwords when Password hashes are not compatible between systems. Normally, this is not a big problem when having only a couple of users. But having a bunch more, or having a couple of users that are not familiar with IT in general makes the migration of the password appealing.
For a side project I wanted to test migrating all the password from the ancient IPConfig mail system with Courier mail which uses a MySQL database with Crypt-MD5 hashes. Turns out, it can work fine!
First, export all the passwords of the old system via commandline and save to a Tab separated file. Copy that one to the new system
# old system
mysql -u ispconfig -D dbispconfig -p"$DB_PASSWORD" -e "select email, password from mail_user" | tail -n +2 > users.tsv
Copy that users.tsv to the new system and put a migration script in the same folder:
#!/bin/bash
# add_users.sh
set -e
set -o pipefail
miab="https://box.mydomain.com"
admin_email="admin@box.mydomain.com"
echo -n Password:
read -s admin_password
echo
while IFS=$'\t' read -r email password_hash
do
if [ ! -z $email ]
then
echo $email
echo "Creating user..."
curl -X POST --user "$admin_email:$admin_password" -d "email=$email" -d "password=$email" "$miab/admin/mail/users/add -q
echo $0
echo "Migrating password! $password_hash"
`sqlite3 /home/user-data/mail/users.sqlite "update users set password = '{MD5-CRYPT}$password_hash' where email = '$email';"`
fi
done < users.tsv
Adjust the admin-email and MIAB domain and run the script, this will:
- Create the e-mail users
- Change the password hash to the old password. By prefixing it with “{MD5-CRYPT}” dovecot knows how to handle it
Tell dovecot to use dynamic crypto algo
From the Doveot wiki:
# Comment default_pass_scheme so dovecot will look at the prefix
default_pass_scheme = CRYPT
So, open nano /etc/dovecot/dovecot-sql.conf.ext and comment out:
# default_pass_scheme = SHA512-CRYPT
Reload dovecot service dovecot reload.
Copy mails
Easiest, is to copy a ssh-pubkey to the old system’s authorized keys and use RSync:
# new system:
cat /root/.ssh/id_rsa_miab.pub
# Copy to old system
nano /root/.ssh/authorized_keys
# paste
Migrate all the mails. can take a while when you have messy users :)
# log into new miab system
rsync -a root@old.mail.system:/var/vmail/. /home/user-data/mail/mailboxes/. -e "ssh -i ~/.ssh/id_rsa_miab"
chown mail:mail /home/user-data/mail/mailboxes/ -R
Inform your users
We migrated the password hashes successfully, but those are unsafe because they use a older CRYPT method. Ask your users to change the password via the Webmail von MIAB. This will generate a new hash with a more save SHA512 Crypt hash automatically.
Also, because now we have Letsencrypt valid certificates, ask your users to use IMAPs (993, SSL/TLS) and SMTP with 587 (STARTTLS).