This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.


Through the years computers are being faster and faster, and so with it the encryption of passwords have to more secure. In this example we convert passwords stored in MySQL with basic CRYPT-encryption to SSHA256-encryption (Salted SHA256).

See Authentication/PasswordSchemes for a list of supported password schemes.

We used php to generate the new passwords, but you can use any language you want


# Comment default_pass_scheme so dovecot will look at the prefix
# default_pass_scheme = CRYPT

# update your password_query so it will look at the new field
# AND add a %w field in the queury so we have the plain password in our Enviroment
password_query = SELECT id as user, newpw as password, home as userdb_home, \
uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass FROM users WHERE id = '%u'

/usr/local/etc/convertpw.php $USER $PLAIN_PASS
exec "$@"

$mysqlhost  = "localhost";
$mysqluser  = "mysqlusername"; // username which is used to connect to the database
$mysqlpass  = "mysqlpassword"; // password which is used to connect to the database
$mysqldb    = "databasename";  // databasename where the passwords are stored
$mysqltable = "users";         // table where the passwords are stored
$idfield    = "id";            // fieldname where the userlogin is stored
$passfield  = "newpw";         // fieldname where the passwords is stored

$usr = $argv[1];
$ruw = $argv[2];
function hexToAscii($hex){
    $strLength = strlen($hex);
    $returnVal = '';
    for($i=0; $i<$strLength; $i += 2) {
        $dec_val = hexdec(substr($hex, $i, 2));
        $returnVal .= chr($dec_val);
    return $returnVal;
$link = mysql_connect ("$mysqlhost", "$mysqluse", "$mysqlpass")  or die ("Could not connect");
@mysql_select_db("$mysqldb") or die( "Unable to select database");
$result = mysql_query("SELECT $passfield FROM $mysqltable WHERE $idfield = '$usr' AND $passfield like '{SSHA%'");
if (mysql_num_rows($result)==0){
        $salt_ascii = hexToAscii($salt);
        $newq= "UPDATE $mysqltable SET $passfield='{SSHA256.hex}".hash('sha256',$ruw.$salt_ascii).$salt."' WHERE $idfield='".$usr."'";
        $res2 = mysql_query($newq);

# insert these lines so dovecot uses our scripts
service pop3 {
  executable = pop3 pop3-postlogin
service pop3-postlogin {
  executable = script-login /usr/local/etc/
  user = $default_internal_user
  unix_listener pop3-postlogin {
# end insert

As of now each user which connects through POP will convert their password to SSHA256. If you look at the database you will see for example {SSHA256.hex}fb0e7f39c88c1d7017169f7f6b9cd6977d1e3291149382b90da4a390a31e81bab3cdced8 instead off {CRYPT}$1$.gvrgDqc$Slvoapz5zkpVmmJAxi.0k1

When every record is updated you can update dovecot.conf (remove the extra lines), and dovecot-sql (remove the %w-part).