1 Topic by orw

  • orw
  • Member
  • Offline
  • Registered: 2013-12-02
  • Posts: 4

Topic: iRedMail MySQL password column value

I am running the latest iRedMail version using MySQL as my user db.

I wish to be able to add users programmatically through PHP.

I'm struggling with the creation of the password for the new user. Can you please show me the right direction to where I can find the salt that iRedMail is using to create the password and which encryption type iRedMail is using for passwords.

Thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: iRedMail MySQL password column value

You can use a random string as salt.

3 Reply by orw (edited by orw 2013-12-02 22:20:04)

  • orw
  • Member
  • Offline
  • Registered: 2013-12-02
  • Posts: 4

Re: iRedMail MySQL password column value

ZhangHuangbin wrote:

You can use a random string as salt.

But how will iRedMail know to match the password if it is using a different salt to do the hashing?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: iRedMail MySQL password column value

*) You should do some research about how to generated MD5 with salt, and how to verify a salted MD5 password.
*) You can query SQL db to get salt string first, then use this salt and user input password to generate a new MD5 password. If it's the same as the one stored in SQL db, that means user inputs correct password.

5 Reply by orw

  • orw
  • Member
  • Offline
  • Registered: 2013-12-02
  • Posts: 4

Re: iRedMail MySQL password column value

ZhangHuangbin wrote:

*) You should do some research about how to generated MD5 with salt, and how to verify a salted MD5 password.
*) You can query SQL db to get salt string first, then use this salt and user input password to generate a new MD5 password. If it's the same as the one stored in SQL db, that means user inputs correct password.

I'm not sure we're talking about the same thing..

I want to be able to add users to the mysql db managed by iRedMail (the mailbox table to be more accurate) in a way that will allow them to login via the RoundCube webmail client. If I just push a user to the table using my own salt will RoundCube be able to verify the account and allow log in? At the moment when I add a user via the admin it's using some sort of salt but I cannot find it. I want to find it so I can mimic the action within my own page.

Am I missing something?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: iRedMail MySQL password column value

I'm sure we're talking about the same thing.

orw wrote:

If I just push a user to the table using my own salt will RoundCube be able to verify the account and allow log in?

Yes. Salt string doesn't matter at all.

orw wrote:

At the moment when I add a user via the admin it's using some sort of salt but I cannot find it

It's random string.

Reference (Python code in iRedAdmin):
https://bitbucket.org/zhb/iredadmin-ose … ult#cl-293
https://bitbucket.org/zhb/iredadmin-ose … ult#cl-279

As you can see, iRedAdmin generates a random 8-character string as salt.

Again, do some research if you're still confused.

7 Reply by orw

  • orw
  • Member
  • Offline
  • Registered: 2013-12-02
  • Posts: 4

Re: iRedMail MySQL password column value

Works, thank you very much.