Change pasword for MySQL users

[horizn]

Hi,
I am trying to configure password plugin to give users password change ability. However I need help with MySQL query.

Database name is system, and password (SHA1) are stored in table user:

Code: [Select]

MariaDB [system]> SELECT * FROM user;
+-----------+----------------------+------------------------------+--------------+------------------+--------------+----------------+----------+------------------------------+---------------------+
| username  | domain               | password                     | SMTP_allowed | SMTPAUTH_allowed | IMAP_allowed | spam_threshold | spam_tag | Full Name                    | last_modified       |
+-----------+----------------------+------------------------------+--------------+------------------+--------------+----------------+----------+------------------------------+---------------------+
| roundcube | 123.com              | QL0AFWMIX8NRZTKeof9cXsvbvu8= | YES          | YES              | YES          |              5 | {SPAM?}  | RoundCubeMail                | 2015-03-23 20:25:07 |

to change password in SQL syntax I need run following command:

Code: [Select]

MariaDB [system]> UPDATE user SET password='2jmj7l5rSw0yVb/vlWAYkK/YBwk=' WHERE username='webmaster';
Query OK, 1 row affected (0.05 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Now I need a proper MySQL query in config.inc.php:

Code: [Select]

$config['password_query'] = 'UPDATE user SET password='%p' WHERE username='%u';

Unfortunately when I set this as my MySQL query, then I am not able to display RoundCube login page (Error500):

Code: [Select]

--736e7b34-A--
[05/Aug/2016:13:59:31 +0100] V6SNs7IhNKMAAD8-aZYAAABC 1.2.3.4 54086 5.6.7.8 443
--736e7b34-B--
GET /poczta/ HTTP/1.1
Host: domain
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Cookie: roundcube_sessid=4dmornn5tdqlga1rdsbmrfkv94; PHPSESSID=6em7fqrk2er34hc8l89i2h2fj4
Connection: keep-alive
Upgrade-Insecure-Requests: 1

--736e7b34-F--
HTTP/1.0 500 Internal Server Error
Strict-Transport-Security: max-age=15768000
X-Powered-By: PHP/5.6.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--736e7b34-H--
Apache-Error: [file "ssl_engine_kernel.c"] [line 366] [level 7] AH02034: %s HTTPS request received for child %ld (server %s)
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Handler: application/x-httpd-php
Stopwatch: 1470401971244933 14127 (- - -)
Stopwatch2: 1470401971244933 14127; combined=302, p1=292, p2=0, p3=0, p4=0, p5=9, sr=43, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache

--736e7b34-Z--

It doesn't matter ModSecurity engine is enabled or not.

In meat time I found that Roundcube is complaining about PHP parse error:

Code: [Select]

[05-Aug-2016 16:51:16 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115
[05-Aug-2016 16:52:42 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115
[05-Aug-2016 16:52:43 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115
[05-Aug-2016 16:53:06 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115
[05-Aug-2016 16:53:30 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115
[05-Aug-2016 16:53:54 Europe/London] PHP Parse error:  syntax error, unexpected 'password_crypt_hash' (T_STRING) in /var/www/htdocs/poczta/plugins/password/config.inc.php on line 115

Even if I comment it out that line in the config file:

Code: [Select]

<?php

// Password Plugin options
// -----------------------
// A driver to use for password change. Default: "sql".
// See README file for list of supported driver names.
$config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 12;

// Require the new password to contain a letter and punctuation character
// Change to false to remove this check.
$config['password_require_nonalpha'] = true;

// Enables logging of password changes into logs/password
$config['password_log'] = true;

// Comma-separated list of login exceptions for which password change
// will be not available (no Password tab in Settings)
$config['password_login_exceptions'] = null;

// Array of hosts that support password changing. Default is NULL.
// Listed hosts will feature a Password option in Settings; others will not.
// Example: array('mail.example.com', 'mail2.example.org');
$config['password_hosts'] = array('localhost');

// Enables saving the new password even if it matches the old password. Useful
// for upgrading the stored passwords after the encryption scheme has changed.
$config['password_force_save'] = false;

// Enables forcing new users to change their password at their first login.
$config['password_force_new_user'] = true;

// Default password hashing/crypting algorithm.
// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear.
// For details see password::hash_password() method.
$config['password_algorithm'] = 'sha';

// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
// using password_algorithm above. Default: empty.
$config['password_algorithm_prefix'] = '{SHA}';

// Path for dovecotpw/doveadm-pw (if not in the $PATH).
// Used for password_algorithm = 'dovecot'.
// $config['password_dovecotpw'] = '/usr/locadb_dsnwl/sbin/doveadm pw'; // for dovecot-2.x
$config['password_dovecotpw'] = '/usr/bin/doveadm pw'; // for dovecot-1.x

// Dovecot password scheme.
// Used for password_algorithm = 'dovecot'.
$config['password_dovecotpw_method'] = 'SHA1';

// Iteration count parameter for Blowfish-based hashing algo.
// It must be between 4 and 31. Default: 12.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
$config['password_blowfish_cost'] = 12;

// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
// Must be at least 1000. If not set, then the number of rounds is left up
// to the crypt() implementation. On glibc this defaults to 5000.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
//$config['password_crypt_rounds'] = 50000;

// This option temporarily disables the password change functionality.
// Use it when the users database server is in maintenance mode or sth like that.
// You can set it to TRUE/FALSE or a text describing the reason
// which will replace the default.
$config['password_disabled'] = false;

// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
$config['password_db_dsn'] = 'mysql://***:***]c@localhost/system';

// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
//      %p is replaced with the plaintext new password
//      %P is replaced with the crypted/hashed new password
//         according to configured password_method
//      %o is replaced with the old (current) password
//      %O is replaced with the crypted/hashed old (current) password
//         according to configured password_method
//      %h is replaced with the imap host (from the session info)
//      %u is replaced with the username (from the session info)
//      %l is replaced with the local part of the username
//         (in case the username is an email address)
//      %d is replaced with the domain part of the username
//         (in case the username is an email address)
// Deprecated macros:
//      %c is replaced with the crypt version of the new password, MD5 if available
//         otherwise DES. More hash function can be enabled using the password_crypt_hash
//         configuration parameter.
//      %D is replaced with the dovecotpw-crypted version of the new password
//      %n is replaced with the hashed version of the new password
//      %q is replaced with the hashed password before the change
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
//$config['password_query'] = 'SELECT update_passwd(%c, %u)';
$config['password_query'] = 'UPDATE user SET password=%p WHERE username=%u LIMIT 1;

// By default the crypt() function which is used to create the %c
// parameter uses the md5 algorithm (deprecated, use %P).
// You can choose between: des, md5, blowfish, sha256, sha512.
// $config['password_crypt_hash'] = 'md5';

// By default domains in variables are using unicode.
// Enable this option to use punycoded names
$config['password_idn_ascii'] = false;

// Enables use of password with crypt method prefix in %D, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
// when using the %D macro (deprecated, use %P)
$config['password_dovecotpw_with_method'] = false;

// Using a password hash for %n and %q variables (deprecated, use %P).
// Determine which hashing algorithm should be used to generate
// the hashed new and current password for using them within the
// SQL query. Requires PHP's 'hash' extension.
$config['password_hash_algorithm'] = 'sha1';

// You can also decide whether the hash should be provided
// as hex string or in base64 encoded format.
$config['password_hash_base64'] = false;



[SKaero]

So the error is in your password_query line:

Code: [Select]

$config['password_query'] = 'UPDATE user SET password=%p WHERE username=%u LIMIT 1;

Your missing a ' at the end of the line, it should be:

Code: [Select]

$config['password_query'] = 'UPDATE user SET password=%p WHERE username=%u LIMIT 1';

Your also going to need to change %p to %n so that it stores the sha version of the password not the clear text password.

[horizn]

Thanks, now I am able to login, however when I am trying to change password I am getting "Could not save new password." error message.

All I found about that attempt in Apache log files:

Code: [Select]

/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:37 +0100] "POST /poczta/?_task=login HTTP/1.1" 302 -
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:37 +0100] "GET /poczta/?_task=mail&_token=XelZLtKURDO84Kd0XbZjb9PNhDCxmtDg HTTP/1.1" 200 40784
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:37 +0100] "GET /poczta/program/resources/blank.tif HTTP/1.1" 200 270
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:37 +0100] "GET /poczta/?_task=mail&_action=list&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1470649174756&_=1470649174666 HTTP/1.1" 200 902
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:37 +0100] "GET /poczta/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1470649174667 HTTP/1.1" 200 75
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:40 +0100] "GET /poczta/?_task=settings HTTP/1.1" 200 10034
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:42 +0100] "GET /poczta/?_task=settings&_action=plugin.password HTTP/1.1" 200 10445
/var/log/httpd/ssl_access.log:1.2.3.4 - - [08/Aug/2016:10:39:55 +0100] "POST /poczta/?_task=settings&_action=plugin.password-save HTTP/1.1" 200 10509


/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:37 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /poczta/?_task=login HTTP/1.1" -
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:37 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/?_task=mail&_token=XelZLtKURDO84Kd0XbZjb9PNhDCxmtDg HTTP/1.1" 40784
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:37 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/program/resources/blank.tif HTTP/1.1" 270
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:37 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/?_task=mail&_action=list&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1470649174756&_=1470649174666 HTTP/1.1" 902
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:37 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1470649174667 HTTP/1.1" 75
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:40 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/?_task=settings HTTP/1.1" 10034
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:42 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /poczta/?_task=settings&_action=plugin.password HTTP/1.1" 10445
/var/log/httpd/ssl_custom.log:[08/Aug/2016:10:39:55 +0100] 1.2.3.4 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /poczta/?_task=settings&_action=plugin.password-save HTTP/1.1" 10509

If I enter wrong current password, then I am getting "Current password incorrect." error message, so I am guessing it can talk to database. I've changed MySQL user to root to exclude db permission issued, but wtill with no luck.

[SKaero]

Is the user password in the database changing?

[horizn]

Is the user password in the database changing?

What does it mean?

In mean time I caught this in MySQL queries log file:

Code: [Select]

# tail -f /var/log/mysql_query.log
160808 15:53:05    35 Connect   roundcube@localhost as anonymous on roundcubemail
                   35 Query     SET NAMES 'utf8'
                   35 Query     SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'xyz'
                   35 Query     SELECT * FROM `users` WHERE `user_id` = '1'
                   35 Quit
160808 15:53:20    36 Connect   roundcube@localhost as anonymous on roundcubemail
                   36 Query     SET NAMES 'utf8'
                   36 Query     SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'xyz'
                   36 Query     SELECT * FROM `users` WHERE `user_id` = '1'
                   37 Connect   root@localhost as anonymous on system
                   37 Query     SET NAMES 'utf8'
                   37 Query     UPDATE user SET password='a3c4f1fe59597a2bcda721e8fd28ab5929d43502' WHERE username='webmaster@domain' LIMIT 1
                   37 Quit
                   36 Quit

where user should be webmaster instead of webmaster@domain, and password doesn't look like SHA1.

[SKaero]

What does your password config look like now?

[horizn]

What does your password config look like now?

Code: [Select]

<?php

// Password Plugin options
// -----------------------
// A driver to use for password change. Default: "sql".
// See README file for list of supported driver names.
$config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 12;

// Require the new password to contain a letter and punctuation character
// Change to false to remove this check.
$config['password_require_nonalpha'] = true;

// Enables logging of password changes into logs/password
$config['password_log'] = true;

// Comma-separated list of login exceptions for which password change
// will be not available (no Password tab in Settings)
$config['password_login_exceptions'] = null;

// Array of hosts that support password changing. Default is NULL.
// Listed hosts will feature a Password option in Settings; others will not.
// Example: array('mail.example.com', 'mail2.example.org');
$config['password_hosts'] = array('domain');

// Enables saving the new password even if it matches the old password. Useful
// for upgrading the stored passwords after the encryption scheme has changed.
$config['password_force_save'] = false;

// Enables forcing new users to change their password at their first login.
$config['password_force_new_user'] = true;

// Default password hashing/crypting algorithm.
// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear.
// For details see password::hash_password() method.
$config['password_algorithm'] = 'sha';

// Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
// using password_algorithm above. Default: empty.
$config['password_algorithm_prefix'] = '{SHA}';

// Path for dovecotpw/doveadm-pw (if not in the $PATH).
// Used for password_algorithm = 'dovecot'.
// $config['password_dovecotpw'] = '/usr/locadb_dsnwl/sbin/doveadm pw'; // for dovecot-2.x
$config['password_dovecotpw'] = '/usr/bin/doveadm pw'; // for dovecot-1.x

// Dovecot password scheme.
// Used for password_algorithm = 'dovecot'.
$config['password_dovecotpw_method'] = 'SHA1';

// Iteration count parameter for Blowfish-based hashing algo.
// It must be between 4 and 31. Default: 12.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
$config['password_blowfish_cost'] = 12;

// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
// Must be at least 1000. If not set, then the number of rounds is left up
// to the crypt() implementation. On glibc this defaults to 5000.
// Be aware, the higher the value, the longer it takes to generate the password hashes.
//$config['password_crypt_rounds'] = 50000;

// This option temporarily disables the password change functionality.
// Use it when the users database server is in maintenance mode or sth like that.
// You can set it to TRUE/FALSE or a text describing the reason
// which will replace the default.
$config['password_disabled'] = false;


// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
$config['password_db_dsn'] = 'mysql://root:password@localhost/system';

// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
//      %p is replaced with the plaintext new password
//      %P is replaced with the crypted/hashed new password
//         according to configured password_method
//      %o is replaced with the old (current) password
//      %O is replaced with the crypted/hashed old (current) password
//         according to configured password_method
//      %h is replaced with the imap host (from the session info)
//      %u is replaced with the username (from the session info)
//      %l is replaced with the local part of the username
//         (in case the username is an email address)
//      %d is replaced with the domain part of the username
//         (in case the username is an email address)
// Deprecated macros:
//      %c is replaced with the crypt version of the new password, MD5 if available
//         otherwise DES. More hash function can be enabled using the password_crypt_hash
//         configuration parameter.
//      %D is replaced with the dovecotpw-crypted version of the new password
//      %n is replaced with the hashed version of the new password
//      %q is replaced with the hashed password before the change
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
$config['password_query'] = 'UPDATE user SET password=%n WHERE username=%u LIMIT 1';

// By default the crypt() function which is used to create the %c
// parameter uses the md5 algorithm (deprecated, use %P).
// You can choose between: des, md5, blowfish, sha256, sha512.
// $config['password_crypt_hash'] = 'md5';

// By default domains in variables are using unicode.
// Enable this option to use punycoded names
$config['password_idn_ascii'] = false;

// Enables use of password with crypt method prefix in %D, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
// when using the %D macro (deprecated, use %P)
$config['password_dovecotpw_with_method'] = false;

// Using a password hash for %n and %q variables (deprecated, use %P).
// Determine which hashing algorithm should be used to generate
// the hashed new and current password for using them within the
// SQL query. Requires PHP's 'hash' extension.
$config['password_hash_algorithm'] = 'sha1';

// You can also decide whether the hash should be provided
// as hex string or in base64 encoded format.
$config['password_hash_base64'] = false;


// Poppassd Driver options
// -----------------------
// The host which changes the password
$config['password_pop_host'] = 'localhost';

// TCP port used for poppassd connections
$config['password_pop_port'] = 106;


// SASL Driver options
// -------------------
// Additional arguments for the saslpasswd2 call
$config['password_saslpasswd_args'] = '';


// LDAP and LDAP_SIMPLE Driver options
// -----------------------------------
// LDAP server name to connect to. 
// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
// Default: 'localhost'
$config['password_ldap_host'] = 'localhost';

// LDAP server port to connect to
// Default: '389'
$config['password_ldap_port'] = '389';

// TLS is started after connecting
// Using TLS for password modification is recommanded.
// Default: false
$config['password_ldap_starttls'] = false;

// LDAP version
// Default: '3'
$config['password_ldap_version'] = '3';

// LDAP base name (root directory)
// Exemple: 'dc=exemple,dc=com'
$config['password_ldap_basedn'] = 'dc=exemple,dc=com';

// LDAP connection method
// There is two connection method for changing a user's LDAP password.
// 'user': use user credential (recommanded, require password_confirm_current=true)
// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
// Default: 'user'
$config['password_ldap_method'] = 'user';

// LDAP Admin DN
// Used only in admin connection mode
// Default: null
$config['password_ldap_adminDN'] = null;

// LDAP Admin Password
// Used only in admin connection mode
// Default: null
$config['password_ldap_adminPW'] = null;

// LDAP user DN mask
// The user's DN is mandatory and as we only have his login,
// we need to re-create his DN using a mask
// '%login' will be replaced by the current roundcube user's login
// '%name' will be replaced by the current roundcube user's name part
// '%domain' will be replaced by the current roundcube user's domain part
// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com'
$config['password_ldap_userDN_mask'] = 'uid=%login,ou=people,dc=exemple,dc=com';

// LDAP search DN
// The DN roundcube should bind with to find out user's DN
// based on his login. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// Use this if you cannot specify a general template for user DN with
// password_ldap_userDN_mask. You need to perform a search based on
// users login to find his DN instead. A common reason might be that
// your users are placed under different ou's like engineering or
// sales which cannot be derived from their login only.
$config['password_ldap_searchDN'] = 'cn=roundcube,ou=services,dc=example,dc=com';

// LDAP search password
// If password_ldap_searchDN is set, the password to use for
// binding to search for user's DN. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// Warning: Be sure to set approperiate permissions on this file so this password
// is only accesible to roundcube and don't forget to restrict roundcube's access to
// your directory as much as possible using ACLs. Should this password be compromised
// you want to minimize the damage.
$config['password_ldap_searchPW'] = 'secret';

// LDAP search base
// If password_ldap_searchDN is set, the base to search in using the filter below.
// Note that you should comment out the default password_ldap_userDN_mask setting
// for this to take effect.
$config['password_ldap_search_base'] = 'ou=people,dc=example,dc=com';

// LDAP search filter
// If password_ldap_searchDN is set, the filter to use when
// searching for user's DN. Note that you should comment out the default
// password_ldap_userDN_mask setting for this to take effect.
// '%login' will be replaced by the current roundcube user's login
// '%name' will be replaced by the current roundcube user's name part
// '%domain' will be replaced by the current roundcube user's domain part
// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// Example: '(uid=%login)'
// Example: '(&(objectClass=posixAccount)(uid=%login))'
$config['password_ldap_search_filter'] = '(uid=%login)';

// LDAP password hash type
// Standard LDAP encryption type which must be one of: crypt,
// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
// Set to 'default' if you want to use method specified in password_algorithm option above.
// Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
// Default: 'crypt'.
$config['password_ldap_encodage'] = 'crypt';

// LDAP password attribute
// Name of the ldap's attribute used for storing user password
// Default: 'userPassword'
$config['password_ldap_pwattr'] = 'userPassword';

// LDAP password force replace
// Force LDAP replace in cases where ACL allows only replace not read
// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
// Default: true
$config['password_ldap_force_replace'] = true;

// LDAP Password Last Change Date
// Some places use an attribute to store the date of the last password change
// The date is meassured in "days since epoch" (an integer value)
// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
$config['password_ldap_lchattr'] = '';

// LDAP Samba password attribute, e.g. sambaNTPassword
// Name of the LDAP's Samba attribute used for storing user password
$config['password_ldap_samba_pwattr'] = '';
 
// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
// Some places use an attribute to store the date of the last password change
// The date is meassured in "seconds since epoch" (an integer value)
// Whenever the password is changed, the attribute will be updated if set
$config['password_ldap_samba_lchattr'] = '';


// DirectAdmin Driver options
// --------------------------
// The host which changes the password
// Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
// The host can contain the following macros that will be expanded as follows:
//     %h is replaced with the imap host (from the session info)
//     %d is replaced with the domain part of the username (if the username is an email)
$config['password_directadmin_host'] = 'tcp://localhost';

// TCP port used for DirectAdmin connections
$config['password_directadmin_port'] = 2222;


// vpopmaild Driver options
// -----------------------
// The host which changes the password
$config['password_vpopmaild_host'] = 'localhost';

// TCP port used for vpopmaild connections
$config['password_vpopmaild_port'] = 89;

// Timout used for the connection to vpopmaild (in seconds)
$config['password_vpopmaild_timeout'] = 10;


// cPanel Driver options
// --------------------------
// The cPanel Host name
$config['password_cpanel_host'] = 'host.domain.com';

// The cPanel admin username
$config['password_cpanel_username'] = 'username';

// The cPanel admin password
$config['password_cpanel_password'] = 'password';

// The cPanel port to use
$config['password_cpanel_port'] = 2087;


// XIMSS (Communigate server) Driver options
// -----------------------------------------
// Host name of the Communigate server
$config['password_ximss_host'] = 'mail.example.com';

// XIMSS port on Communigate server
$config['password_ximss_port'] = 11024;


// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';


// XMail Driver options
// ---------------------
$config['xmail_host'] = 'localhost';
$config['xmail_user'] = 'YourXmailControlUser';
$config['xmail_pass'] = 'YourXmailControlPass';
$config['xmail_port'] = 6017;


// hMail Driver options
// -----------------------
// Remote hMailServer configuration
// true:  HMailserver is on a remote box (php.ini: com.allow_dcom = true)
// false: Hmailserver is on same box as PHP
$config['hmailserver_remote_dcom'] = false;
// Windows credentials
$config['hmailserver_server'] = array(
    'Server'   => 'localhost',      // hostname or ip address
    'Username' => 'administrator',  // windows username
    'Password' => 'password'        // windows user password
);


// Virtualmin Driver options
// -------------------------
// Username format:
// 0: username@domain
// 1: username%domain
// 2: username.domain
// 3: domain.username
// 4: username-domain
// 5: domain-username
// 6: username_domain
// 7: domain_username
$config['password_virtualmin_format'] = 0;


// pw_usermod Driver options
// --------------------------
// Use comma delimited exlist to disable password change for users.
// See "Sudo setup" in README file.
$config['password_pw_usermod_cmd'] = 'sudo /usr/sbin/pw usermod -h 0 -n';


// DBMail Driver options
// -------------------
// Additional arguments for the dbmail-users call
$config['password_dbmail_args'] = '-p sha512';


// Expect Driver options
// ---------------------
// Location of expect binary
$config['password_expect_bin'] = '/usr/bin/expect';

// Location of expect script (see helpers/passwd-expect)
$config['password_expect_script'] = '';

// Arguments for the expect script. See the helpers/passwd-expect file for details.
// This is probably a good starting default:
//   -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
$config['password_expect_params'] = '';


// smb Driver options
// ---------------------
// Samba host (default: localhost)
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
$config['password_smb_host'] = 'localhost';
// Location of smbpasswd binary
$config['password_smb_cmd'] = '/usr/bin/smbpasswd';

// gearman driver options
// ---------------------
// Gearman host (default: localhost)
$config['password_gearman_host'] = 'localhost';


// Plesk/PPA Driver options
// --------------------
// You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel 

// Plesk RCP Host
$config['password_plesk_host'] = '10.0.0.5';

// Plesk RPC Username
$config['password_plesk_user'] = 'admin';

// Plesk RPC Password
$config['password_plesk_pass'] = 'password';

// Plesk RPC Port
$config['password_plesk_rpc_port'] = '8443';

// Plesk RPC Path
$config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';


// kasswd Driver options
// ---------------------
// Command to use
$config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';


[SKaero]

Your config looks fine, and the query log looks like its working as indented. Are you sure your system is using sha1? The passwords you posted don't look like sha1.

[horizn]

Your config looks fine, and the query log looks like its working as indented. Are you sure your system is using sha1? The passwords you posted don't look like sha1.

Yes I am sure, and it looks exactly like a SHA1 hash.
I always use doveadm pw -s sha1 command to generate sha1 password hashes:

Code: [Select]

root@:~# doveadm pw -s sha1
Enter new password:
Retype new password:
{SHA1}hRNsecv5/ja7nQXQY5xwwmXBjTc=

For db storage purposes {SHA1} prefix is removed. Everything was configured using:
https://struction.de/projects/HOWTO_VirtualMail_Exim-MySQL-Spamassassin-ClamAV-Dovecot/
with Exim, ClamAV and SpamAssassin improvements.

[SKaero]

Ah, so there is the key, Dovecot doesn't use a standard sha1 hash, thats why its different. I think you'll need to change %n to %D in the password query.

[horizn]

Ah, so there is the key, Dovecot doesn't use a standard sha1 hash, thats why its different. I think you'll need to change %n to %D in the password query.

Password looks like SHA1 now, but still got the same error message:

Code: [Select]

160808 21:35:42   222 Connect   roundcube@localhost as anonymous on roundcubemail
                  222 Query     SET NAMES 'utf8'
                  222 Query     SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'xyz'
                  222 Query     SELECT * FROM `users` WHERE `user_id` = '1'
                  222 Quit
160808 21:35:51   223 Connect   roundcube@localhost as anonymous on roundcubemail
                  223 Query     SET NAMES 'utf8'
                  223 Query     SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'xyz'
                  223 Query     SELECT * FROM `users` WHERE `user_id` = '1'
                  224 Connect   root@localhost as anonymous on system
                  224 Query     SET NAMES 'utf8'
                  224 Query     UPDATE user SET password='8wpMSQxLQWLcEANgVVEwew8DuIE=' WHERE username='webmaster@domain' LIMIT 1
                  224 Quit
                  223 Quit

I think the problem is with username variable. How can I force Password plugin to pass username as login instead of login@domain? As you can see in my initial post:

Code: [Select]

MariaDB [system]> SELECT * FROM user;
+-----------+----------------------+------------------------------+--------------+------------------+--------------+----------------+----------+------------------------------+---------------------+
| username  | domain               | password                     | SMTP_allowed | SMTPAUTH_allowed | IMAP_allowed | spam_threshold | spam_tag | Full Name                    | last_modified       |
+-----------+----------------------+------------------------------+--------------+------------------+--------------+----------------+----------+------------------------------+---------------------+
| roundcube | 123.com              | QL0AFWMIX8NRZTKeof9cXsvbvu8= | YES          | YES              | YES          |              5 | {SPAM?}  | RoundCubeMail                | 2015-03-23 20:25:07 |

usernames are stored in 'login' only format.

[SKaero]

Replace %u with %l in your password query.

[horizn]

It worked. Thanks.