2014-12-03 06:19:12 -06:00
# Reset user password
2017-04-10 21:12:08 -05:00
[TOC]
2015-02-01 05:22:03 -06:00
2021-09-08 06:13:12 -05:00
## Reset password with scripts shipped in iRedAdmin(-Pro)
### Reset password for one user
iRedAdmin(-Pro) ships script `tools/reset_user_password.py` to help you reset
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
`/opt/www/iredadmin` ):
```
cd /opt/www/iredadmin/tools/
python3 reset_user_password.py user@domain.ltd '123456'
```
Sample output:
```
[user@domain.ltd] Password has been reset.
```
### Reset passwords for multiple users with a CSV file
If you need to update many users' passwords, another way is resetting passwords
with script shipped in iRedAdmin-Pro: `tools/update_password_in_csv.py` . It
reads the user email addresses and NEW passwords from a CSV file.
The content is CSV file is:
```
< email > < new_password >
```
One mail user (and new password) per line. For example, file `new_passwords.csv` :
```
user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN
```
Then run script with this file:
```
python3 update_password_in_csv.py new_passwords.csv
```
2017-04-10 21:12:08 -05:00
## Reset password with SQL/LDAP command line
2014-12-03 06:19:12 -06:00
2017-04-10 21:12:08 -05:00
### Generate password hash for new password
2014-12-03 06:19:12 -06:00
2017-04-10 21:12:08 -05:00
Storing password in plain text is dangerous, so we need to hash the password.
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
to decode the password hash to get plain password, this will give you some
time to reset password to prevent mail message leak.
2014-12-03 06:19:12 -06:00
2017-04-10 21:12:08 -05:00
> * SSHA512 is recommended on Linux systems.
> * BCRYPT is recommended on BSD systems.
> * MD5 is not safe, DO NOT USE IT no matter what reasons you have.
2015-08-27 23:00:00 -05:00
2017-04-10 21:17:11 -05:00
To generate password hash for new password, please use `doveadm` command.
* Generate a SSHA512 password hash:
2015-08-27 23:00:00 -05:00
2017-04-10 21:12:08 -05:00
```
$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
2015-08-27 23:00:00 -05:00
```
2017-04-10 21:17:11 -05:00
* Generate a BCRYPT password hash on BSD system:
```
$ doveadm pw -s 'blf-crypt' -p '123'
{BLF-CRYPT}$2a$05$9CTW6FZtjHeK6W.2YMmzOeAj2YFvDpP4JEH0uH/YLQI81jPWDtzQW
```
2017-04-10 21:12:08 -05:00
### SQL backends
2015-08-28 21:27:37 -05:00
2017-04-10 21:12:08 -05:00
To reset password for user `user@domain.ltd` , please login to SQL server as
either SQL root user or `vmailadmin` user (note: sql user `vmail` has read-only
2017-04-10 21:17:11 -05:00
privilege to `vmail` database, so you cannot use it to change user password),
then execute SQL commands to reset password:
2014-12-03 06:19:12 -06:00
```
sql> USE vmail;
2015-08-19 08:11:02 -05:00
sql> UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
2014-12-03 06:19:12 -06:00
```
2017-04-10 21:12:08 -05:00
### LDAP backends
2017-04-10 19:31:14 -05:00
With OpenLDAP backend, you can reset it with `ldapvi` , phpLDAPadmin or other
LDAP client tools. `SSHA512` is recommended, but if you have some application
which needs to perform authentication with ldap dn directly, then `SSHA` is
preferred.
2015-02-01 05:22:03 -06:00
## See also
2014-12-03 06:19:12 -06:00
2015-02-01 05:22:03 -06:00
* [Password hashes used/supported by iRedMail ](./password.hashes.html )
2016-05-26 10:09:58 -05:00
* [Promote a mail user to be global admin ](./promote.user.to.global.admin.html )
