Oh, goodness. MD5 is crazy old. You could probably turn it back on, but probably shouldn’t…it’s basically plain text.
The good news is the you could crack those MD5 passwords in a few hours, which would mean you could then “reset” to the original password but with a modern hash. But, you probably ought to just reset all the passwords and give the users a temporary password so they can reset.
Well, at least I finally have my answer. It could be that most of the accounts with these aren’t actually using them so I might not have to worry about it.
DELETED: Can’t reproduce. Probably didn’t have ‘passwords already encrypted’ ticked in batch import on one attempt.
Almost there. I found an old account that I thought I knew the password for so I used the ‘batch add’ in Vmin and used the $1 encrypted password. From link above:
Add the following line to your /etc/pam.d/passwd
password required pam_unix.so md5,sha512 shadow nullok rounds=65536
From another site I got:
sudo pam-auth-update
Login to Usermin. Whoohoo. It starts to load. Boohoo. IMAP fails auth. Input login info and after a long wait, it loads.
Log out. Login. Normal load.
I tried it on the server I’m provisioning and pretty much the same sequence happened. So the question at this point is why did I need to auth twice initially?
EDIT: Created IMAP account in Thunderbird and it had logged in and retrieved the setup email before I even closed the setup window.
SOLUTION
Because there are two separate authentication steps happening. One is a system login to get into Usermin, the other is an IMAP login. Usermin is a webmail client, but it’s not just a webmail client…it’s logging into the system first. Even if they’re the same password the hash cannot be used for either. A hash is not the password and can’t be used as the password.
You could configure Usermin to not use IMAP and load mail directly, but there are tradeoffs to that, as well (getting folders matched up with other mail clients is tricky, caching in Dovecot is better, etc.). In this case just logging into the system would be sufficient, there would be no step where IMAP is logged into and mail synced, etc.
This was straight login to Usermin entering the plain text password as any user would. I can understand this being a problem when I tried to do it from Vmin. This was the normal user process. And it works as expected after the initial dual credential input.
By the time I closed the window on my IMAP account created in Thunderbird it had connected and retrieved the welcome mail. ME/WE is done here. 
I edited the title and first post to reflect where the problem ended up being. I’d be surprised if this is the last you hear of this as server admins resist upgrading until they are forced to. I only went to 11 to save me that grief later. The provider I’m at only had Debian 10. Had I decided to stay with that I’d have gotten burned with a full production server. Well, in as much as I think many of these old MD5 password accounts aren’t really in use anymore.
All makes sense once you get to the answer. Kinda like the Webmin/Virtualmin interfaces.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.