When working with Dovecot's virtual users, passwords are typically stored in dovecot.passwd using various encryption schemes. The CRYPT format is one of the supported password storage mechanisms, which uses the traditional Unix crypt(3) function.
You have several options to generate CRYPT-compatible password hashes:
# Method 1: Using openssl
openssl passwd -crypt yourpassword
# Method 2: Using Python
python -c 'import crypt; print(crypt.crypt("yourpassword"))'
# Method 3: Using Perl
perl -e 'print crypt("yourpassword", "salt"), "\n"'
The dovecot.passwd file typically follows this format:
username:{CRYPT}hashedpassword:uid:gid::/home/virtual/username::userdb_extra_fields
To update a specific user's password:
# Backup original file
cp /etc/dovecot/dovecot.passwd /etc/dovecot/dovecot.passwd.bak
# Edit the file (replace 'username' and 'newhash')
sed -i 's/^username:{CRYPT}.*/username:{CRYPT}newhash:uid:gid::\/home\/virtual\/username::userdb_extra_fields/' /etc/dovecot/dovecot.passwd
After updating the password file, you should:
- Restart Dovecot:
systemctl restart dovecot - Test authentication:
doveadm auth test username
If you're managing multiple users, consider these alternatives:
# Using doveadm (requires SSHA or other modern schemes)
doveadm pw -s CRYPT -p yourpassword
# Batch processing with a shell script
while IFS=: read -r user _ uid gid _ home _ extra; do
if [ "$user" = "targetuser" ]; then
newhash=$(openssl passwd -crypt "newpassword")
echo "$user:{CRYPT}$newhash:$uid:$gid::$home::$extra"
else
echo "$user:{CRYPT}*:$uid:$gid::$home::$extra"
fi
done < dovecot.passwd > dovecot.passwd.new
- CRYPT is considered weak - consider migrating to SHA512-CRYPT or ARGON2
- Set proper file permissions:
chmod 600 /etc/dovecot/dovecot.passwd - Use
doveadm pwfor stronger encryption schemes
When working with Dovecot's virtual user authentication, passwords are typically stored in /etc/dovecot/passwd or similar location. The file follows this format:
username:{CRYPT}hashedpassword:uid:gid:homedir:maildir
For example, an entry might look like:
john:{CRYPT}$1$saltvalue$hashedvalue:5000:5000:/var/vmail/john:/var/vmail/john/Maildir
The most reliable tool for generating CRYPT hashes is the doveadm utility that comes with Dovecot:
doveadm pw -s CRYPT -p "newpassword"
This will output a string like:
{CRYPT}$1$salt$hashedpassword
If doveadm isn't available, you can use these UNIX tools:
Using openssl (for MD5 CRYPT)
openssl passwd -1 "newpassword"
Using perl
perl -e 'print crypt("newpassword", "\$1\$saltvalue\$") . "\n"'
Once you have the hashed password:
- Make a backup of the current password file:
cp /etc/dovecot/passwd /etc/dovecot/passwd.backup - Edit the file with your preferred editor (vim/nano):
vim /etc/dovecot/passwd - Locate the user and replace the password portion after {CRYPT}
- Save the file
Test the new password with:
doveadm auth test username
Or manually verify with:
su -s /bin/sh -c 'doveadm auth test username' dovecot
- Always use strong passwords (12+ characters, mixed case, numbers, symbols)
- Consider migrating to more secure schemes like SHA512-CRYPT if supported
- Set proper file permissions on the password file:
chmod 600 /etc/dovecot/passwd chown dovecot:dovecot /etc/dovecot/passwd
If authentication fails after the change:
- Verify the password file location in
/etc/dovecot/conf.d/auth-passwdfile.conf.ext - Check Dovecot logs:
journalctl -u dovecot -f - Ensure the password scheme in Dovecot configuration matches what you're using