Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

Get plain customer mail password – Plesk

In a mail server (IceWarp), I can get the plain customer passwords using the following command in batch:

tool export account *@* u_password > "%userprofile%/Desktop/emails.txt"

The output looks like this:

[email protected],plainpassword1,
[email protected],plainpassword2,

To get the passwords, I have to remotely connect to the server, run the batch, view emails.txt, etc. This is troublesome. To shorten the process, I want to do this using API.

Using the following code, I can get the customer info (password):

require_once("PleskApiClient.php");

$host       = "__OMITTED__";
$login      = "__OMITTED__";
$password   = "__OMITTED__";

$client = new PleskApiClient($host);

$client->setCredentials($login, $password);

$request = <<<EOF
<packet>
  <customer>
    <get>
      <filter/>
      <dataset>
        <gen_info/>
      </dataset>
    </get>
  </customer>
</packet>
EOF;

$response = $client->request($request);

echo $response;

Output:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.9.0">
  <customer>
    <get>
      <result>
        <status>ok</status>
        <filter-id>2</filter-id>
        <id>2</id>
        <data>
          <gen_info>
            <cr_date>__OMITTED__</cr_date>
            <cname/>
            <pname>__OMITTED__</pname>
            <login>__OMITTED__</login>
            <status>0</status>
            <phone/>
            <fax/>
            <email>__OMITTED__@__OMITTED__.com</email>
            <address/>
            <city/>
            <state/>
            <pcode/>
            <country>__OMITTED__</country>
            <locale>__OMITTED__</locale>
            <guid>__OMITTED__</guid>
            <owner-login>__OMITTED__</owner-login>
            <vendor-guid>__OMITTED__</vendor-guid>
            <external-id/>
            <description/>
            <password>$5$lpxai__OMITTED__</password>
            <password_type>crypt</password_type>
          </gen_info>
        </data>
      </result>
    </get>
  </customer>
</packet>

The password I get with the API is hashed. Is there a way to get the original/plain version?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Since Plesk API didn't help, I've started looking into IceWarp API.

    I've figured out that I can create/access custom pages on the mail server. The public folder resides at C:Program Files (x86)IceWarphtml. I created a folder (test) and put the necessary files inside.

    The batch file to output accounts:

    @echo off

set filename=accounts.txt

if exist %filename% (
    del /F /Q %filename%
)

cd "C:Program Files (x86)IceWarp"

tool export account *@* u_password > "%~dp0/%filename%"

    PHP to call the batch and read the output file:

    system("cmd /c "C:/Program Files (x86)/IceWarp/html/test/get_accounts.bat"");

$accounts = file_get_contents("accounts.txt");

    This setup is working fine. Now I can do whatever I want with the output.


  2. 0

    I don’t know the details, but it seems bad practice to make passwords available like that. I know, it can be useful, but most of the time you would hash a password, store the hash, and forget the original password.

    In other words, the value you have in <password> is NOT an encrypted password, it is a password hash, which can be used to check if a password is correctly entered. See:

    https://www.maketecheasier.com/what-is-password-hashing/

    Read the chapter: “Why is Hashing Secure?”.

    So my answer is: You cannot get the unencryped version of the password.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search