[GH-ISSUE #256] If using dovecot as password generator ViMbAdmin changes the hash which makes change of hash later impossible #207

New issue

Closed

opened 2026-02-26 09:36:43 +03:00 by kerem · 2 comments

kerem commented

2026-02-26 09:36:43 +03:00

Owner

Originally created by @mfechner on GitHub (Dec 5, 2018).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/256

Dear all,

regarding this line:
github.com/opensolutions/ViMbAdmin@afc2b44ad1/library/ViMbAdmin/Dovecot.php (L59)

if dovecot is used to generate the hash, the hash normally looks like:

doveadm -o stats_writer_socket_path= pw -p test -s BLF-CRYPT
{BLF-CRYPT}$2y$05$MScpeuQcoTM0evggtJ9ZX.tzwbD4GXsrepigXHYhfaI4mx0EqWcLy

ViMbAdmin does now remove the part {BLF-CRYPT}.
If you now try to migrate from BLF-CRYPT to ARGON2ID and you change the standard password scheme authentication will not work anymore.
Is there a special reason why {BLF-CRYPT} is removed.

If that removal would not happen, you can mix password scheme and you can use a post-login script from dovecot to migrate to a new hash scheme without interrupting your email service.

If you agree, I would create a merge request that does not remove the {BLF-CRYPT} from the hash anymore.

Originally created by @mfechner on GitHub (Dec 5, 2018). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/256 Dear all, regarding this line: https://github.com/opensolutions/ViMbAdmin/blob/afc2b44ad129b6043ab4400276911124dcceb112/library/ViMbAdmin/Dovecot.php#L59 if dovecot is used to generate the hash, the hash normally looks like: ```bash doveadm -o stats_writer_socket_path= pw -p test -s BLF-CRYPT {BLF-CRYPT}$2y$05$MScpeuQcoTM0evggtJ9ZX.tzwbD4GXsrepigXHYhfaI4mx0EqWcLy ``` ViMbAdmin does now remove the part `{BLF-CRYPT}`. If you now try to migrate from BLF-CRYPT to ARGON2ID and you change the standard password scheme authentication will not work anymore. Is there a special reason why `{BLF-CRYPT}` is removed. If that removal would not happen, you can mix password scheme and you can use a post-login script from dovecot to migrate to a new hash scheme without interrupting your email service. If you agree, I would create a merge request that does not remove the `{BLF-CRYPT}` from the hash anymore.

kerem closed this issue

2026-02-26 09:36:43 +03:00

kerem commented

2026-02-26 09:36:44 +03:00

Author

Owner

@barryo commented on GitHub (May 16, 2020):

You are right that we probably shouldn't have stripped it but unfortunately this change would create widespread breakage of existing systems.

This could be solved with a MySQL VIEW table.

@barryo commented on GitHub (May 16, 2020): You are right that we probably shouldn't have stripped it but unfortunately this change would create widespread breakage of existing systems. This could be solved with a MySQL VIEW table.

kerem commented

2026-02-26 09:36:44 +03:00

Author

Owner

@barryo commented on GitHub (May 16, 2020):

Actually also discussed in the still open #178

@barryo commented on GitHub (May 16, 2020): Actually also discussed in the still open #178