On my server, I have several domains and I have corresponding email addresses for a few of them, for example: ses5909@mydomain.com, ses5909@anotherdomain.com, etc. I have come to find that in Plesk if I have a domain that has an email user named ses5909 and I need to make the same username on another domain, they are not allowed to share the same domain. So if I give ses5909@mydomain.com the password: supersneakypw, I cannot give that password to ses5909@anotherdomain, or anyone else that has the same username. This is pretty lame if you ask me. The reason for this is that mail is not handled on the domain level, but rather the username level. That is a whole other issue though.
Well today I needed to get into my mail and I wasn’t at the computer that I run my mail client on so I went to my webmail account. I couldn’t remember the password for the life of me. I tried a few that I commonly use, but no luck. So, I needed to try to find my password. I could have reset it, but I’ve resorted to this in the past and I am just tired of doing that. I needed to find a way to retrieve my password.
So, I logged into mysql as the root admin. I looked through the databases and noticed there was a psa db which I am assuming stands for Plesk Server Administration. I immediately looked for email and finally saw mail. I saw all of the usernames and a quick join with the domains table showed me which column belonged to which domain.
SELECT mail.mail_name, domains.name from mail LEFT OUTER JOIN domains ON domains.id = mail.dom_id;
But, now I needed to find the passwords for these. After some more hunting, I found the accounts table where passwords are stored in plain text. If only I didn’t have 200 to look through. So a query was in order:
SELECT accounts.id, mail.mail_name, accounts.password, domains.name FROM domains LEFT JOIN mail ON domains.id = mail.dom_id LEFT JOIN accounts ON mail.account_id = accounts.id
Problem solved 
February 8th, 2007 at 7:58 am
Did I read that right? Passwords are stored in plain text? Ouch…
February 8th, 2007 at 8:07 am
Yep. There is a lot of issue with that as I’m sure you can imagine. Having all of the passwords for your server stored in plain text.. but.. it doesn’t stop me from using it
February 8th, 2007 at 9:16 am
Yes, it is strange but convenient for PHP scripts too. At least it’s stored in a database that requires access and not in individual files!
February 28th, 2007 at 4:12 pm
passwords are not stored in plaintext but as blob. blobs will be converted to plain text by choice on export
February 28th, 2007 at 4:28 pm
But its not rocket-science to pull text out of a blob. I would have assumed before looking in there that they used md5.
February 29th, 2008 at 12:47 pm
Plesk should allow you to use the same password for a username that is the same on another domain. This issue is major pain for any admin who likes to use a default account for all domains they are hosing, for example Webmaster or something like that.
I share your pain,
Crack Google
Offering Free Search Engine Optimization Support.
March 6th, 2008 at 10:50 am
One other thing. If someone has breached your server to the point where they are are able to view your shadow file, or your plesk file where the passwords are kept (cleartext or not), then you have bigger problems and email should be the least of your concern.
It seems more like a reason to pass judgement, which is far easier to do than to produce something. You can’t expect to do anything in this world that is great or even above standard, without being criticized.
On the other hand, it does beg one to ask, if they have that “hole”, what other “holes” may exist? So from that perspective, I appreciate everyone’s efforts in keeping a sharp eye out for the community!
Crack Google
Offering Free Search Engine Optimization Support
April 11th, 2008 at 4:55 am
I found this qry more helpful when i migrated.
select accounts.id, concat(mail.mail_name,’@',domains.name), accounts.password from mail left join domains on domains.id = mail.dom_id left join accounts on mail.account_id = accounts.id;