View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Postfix issues after installing Ubuntu 20.04.1 LTS
Log in to Ask a Question

Postfix issues after installing Ubuntu 20.04.1 LTS

I have been trying to fix my postfix after recently installing Ubuntu 20 LTS. I found that my virtual_user passwords may have been compromised, so I had to reset them. When I tried to follow the instructions in this document that I used when originally setting up https://www.linode.com/docs/guides/email-with-postfix-dovecot-and-mysql/, Mysql now does no longer support ENCRYPT. So I decided to use Sha-256. I see this in the dovecot settings

default_pass_scheme = SHA512-CRYPT

I changed it to

default_pass_scheme = SHA256-CRYPT

Is that what I need to do? Nothing seems to be working now. I can no longer relay email to my sever and have it go back out to where I want it to land.

Has anyone else gotten postfix working on Ubuntu 20?

1 Reply

@bradrice --

I don't use Ubuntu…rather Debian. Ubuntu is a downstream derivative of Debian. You're problem is not OS(-version) specific however.

I also don't have any experience with using mysql for this because my user count is quite small so I use sqlite. I do however use:

default_pass_scheme = SHA512-CRYPT

IMHO, you should use the strongest encryption/hashing scheme possible. SHA512 is an order of magnitude better in this regard than SHA256.

That being said, you need to change whatever mysql(1) SQL script you use to verify the password to calculate a SHA512. I think this article has the key:

https://stackoverflow.com/questions/51420805/dovecot-password-hashing-with-mysql-8-sha2

Once you get that working, you can reset the passwords using doveadm(1) according to:

https://doc.dovecot.org/configuration_manual/authentication/password_schemes/

I hope this helps… Like I said, I don't use mysql(1)…however, what you tell dovecot(1) the default_pass_scheme is has to match whatever is in your database otherwise the verification will fail.

I build my database with a bunch of ruby(1) programs. In particular, I calculate the password hash with UnixCrypt::SHA512.build (see: https://github.com/mogest/unix-crypt ).

I did this because I got tired of doing what I'm suggesting that you do… The database is just the repository…it shouldn't be in the business of encoding/decoding anything. If you create the SHA512 of the password using whatever means you like; store that into the database as text; and tell dovecot(1) how to interpret it when it reads the hash (text) from the database, you don't need to use any mysql functions to encode/decode the hash at all.

You can add/update passwords this way using a shell script that invokes doveadm(1) to generate the hash and mysql(1) to update the row in the database. I never understood why the Linode tutorials insist on putting the hashing/verification stuff into the dovecot(1) db access method anyway…

Testing all this out before you put it into production would be a good task for a nanode…

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct