Migrating IPConfig mail accounts and passwords to Mailinabox

26th July 2020 – 584 words

Recently, I’ve come across a small side project where a customer needed to put down their ancient mail server based on IPConfig (using Courier as IMAP/user backend).

Migrating passwords

Switching mail systems usually includes users to change their passwords when Password hashes are not compatible between systems. Normally, this is not a big problem when having only a couple of users. But having a bunch more, or having a couple of users that are not familiar with IT in general makes the migration of the password appealing.

For a side project I wanted to test migrating all the password from the ancient IPConfig mail system with Courier mail which uses a MySQL database with Crypt-MD5 hashes. Turns out, it can work fine!

First, export all the passwords of the old system via commandline and save to a Tab separated file. Copy that one to the new system

# old system
mysql -u ispconfig -D dbispconfig -p"$DB_PASSWORD" -e "select email, password from mail_user" | tail -n +2 > users.tsv

Copy that users.tsv to the new system and put a migration script in the same folder:

#!/bin/bash
# add_users.sh
set -e
set -o pipefail

miab="https://box.mydomain.com"
admin_email="admin@box.mydomain.com"
echo -n Password:
read -s admin_password

echo
while IFS=$'\t' read -r email password_hash
do
        if [ ! -z $email ]
        then
                echo $email
                echo "Creating user..."
                curl -X POST --user "$admin_email:$admin_password"  -d "email=$email" -d "password=$email" "$miab/admin/mail/users/add -q
                echo $0
                echo "Migrating password! $password_hash"
                `sqlite3 /home/user-data/mail/users.sqlite "update users set password = '{MD5-CRYPT}$password_hash' where email = '$email';"`

        fi
done < users.tsv

Adjust the admin-email and MIAB domain and run the script, this will:

  • Create the e-mail users
  • Change the password hash to the old password. By prefixing it with “{MD5-CRYPT}” dovecot knows how to handle it

Tell dovecot to use dynamic crypto algo

From the Doveot wiki:

# Comment default_pass_scheme so dovecot will look at the prefix
default_pass_scheme = CRYPT

So, open nano /etc/dovecot/dovecot-sql.conf.ext and comment out:

# default_pass_scheme = SHA512-CRYPT

Reload dovecot service dovecot reload.

Copy mails

Easiest, is to copy a ssh-pubkey to the old system’s authorized keys and use RSync:

# new system:
cat /root/.ssh/id_rsa_miab.pub

# Copy to old system
nano /root/.ssh/authorized_keys
# paste

Migrate all the mails. can take a while when you have messy users :)

# log into new miab system
rsync -a root@old.mail.system:/var/vmail/. /home/user-data/mail/mailboxes/. -e "ssh -i ~/.ssh/id_rsa_miab"
chown mail:mail /home/user-data/mail/mailboxes/ -R

Inform your users

We migrated the password hashes successfully, but those are unsafe because they use a older CRYPT method. Ask your users to change the password via the Webmail von MIAB. This will generate a new hash with a more save SHA512 Crypt hash automatically.

Also, because now we have Letsencrypt valid certificates, ask your users to use IMAPs (993, SSL/TLS) and SMTP with 587 (STARTTLS).