Great !

A small script to replace cleartext password with hashs.
(not a real solution)

#!/bin/bash

# Dangerous script for Plesk
# Search for mail user with plaintext password using mail_auth_view
# Replace the plaintext password with hashed password

# Remaining problems :
# If user change his password, it's again in plaintext
# The script is slow, if the user change it's password while the script is running the change will be lost
# Tested only on Debian 12.8 Plesk Obsidian 18.0.65

# Filter to apply only to a domain or a mail account
filter=$1
# Set action to DOIT to replace password
action=$2

if [ -z "$filter" ]
then
echo "Usage : $0 @domain.tld"
exit
fi

# Get all mails and appy filter
echo "Search mail account, using filter $filter"
mails=$(plesk bin mail --list | grep -E "^Mail name" | cut -f2 | grep -E $filter)
echo Accounts founds : $mails
echo

# For each mail
for mail in $mails ; do
authview=$(plesk sbin mail_auth_view | grep -E "^\| +$mail \| \| +.+ \|$")
if [ "$?" != 0 ]
then
echo OK:$mail
else
echo FOUND cleartext password for $mail
# cut the left part "| mail@domain.tld | |"
authview=$(echo "$authview" | sed "s/^\x7c *$mail \x7c \x7c *//")
# cut the rigth part " |"
password=$(echo "$authview" | sed "s/ \x7c$//")
# Calculate hashed password
password_c=$(openssl passwd -6 "$password")
# For debuging purpose
# echo "Account $mail : password \"$password\" hashed \"$password_c\""
if [ "$action" == "DOIT" ]
then
echo "Changing account $mail password with hashed version"
plesk bin mail --update $mail -passwd_type encrypted -passwd $password_c
fi
# Clear password (paranoid :-)
authview=""
password=""
password_c=""
fi
done