2014-10-06 23:35:29 -05:00
|
|
|
# Force mail user to change password in 90 days
|
|
|
|
|
2017-10-17 00:15:18 -05:00
|
|
|
[TOC]
|
|
|
|
|
2014-10-06 23:35:29 -05:00
|
|
|
## How it works
|
2014-10-06 23:39:09 -05:00
|
|
|
|
2014-10-08 07:27:14 -05:00
|
|
|
iRedMail configures Roundcube webmail to store last password change date while
|
|
|
|
user changed password. For MySQL/MariaDB/PostgreSQL backends, it's stored in
|
2014-10-06 23:39:09 -05:00
|
|
|
SQL database `vmail`, column `mailbox.passwordlastchange`. For LDAP backends,
|
|
|
|
it's stored in LDAP attribute `shadowLastChange` of user account. If user
|
|
|
|
didn't change password before, or user account is newly created, the password
|
|
|
|
last change date will be set to `0000-00-00 00:00:00`.
|
2014-10-06 23:35:29 -05:00
|
|
|
|
|
|
|
iRedAPD has plugin to force mail users to change password before sending email:
|
|
|
|
|
2014-10-06 23:39:09 -05:00
|
|
|
* `sql_force_change_password_in_days`: for SQL backends (MySQL, MariaDB and
|
|
|
|
PostgreSQL).
|
2014-10-06 23:35:29 -05:00
|
|
|
* `ldap_force_change_password_in_days`: for LDAP backends (OpenLDAP and OpenBSD
|
|
|
|
built-in LDAP server `ldapd(8)`).
|
|
|
|
|
2014-10-08 07:27:14 -05:00
|
|
|
When user trying to send an email, iRedAPD will invoke this plugin to
|
2014-10-06 23:35:29 -05:00
|
|
|
check password last change date stored in SQL/LDAP and compare
|
|
|
|
it with current date. if password last change date is longer than specified
|
|
|
|
days, this plugin rejects smtp session with specified message.
|
|
|
|
|
|
|
|
## How to enable iRedAPD plugin
|
|
|
|
|
|
|
|
To enable this plugin, please list the plugin name in iRedAPD config file
|
|
|
|
`/opt/iredapd/settings.py`, variable `plugins =`. For example:
|
|
|
|
|
|
|
|
```python
|
|
|
|
# For SQL backends
|
|
|
|
plugins = [..., 'sql_force_change_password_in_days']
|
|
|
|
|
|
|
|
# For LDAP backends:
|
|
|
|
plugins = [..., 'ldap_force_change_password_in_days']
|
|
|
|
```
|
|
|
|
|
2014-10-08 19:29:36 -05:00
|
|
|
There're two optional settings you can set in `/opt/iredapd/settings.py`:
|
2014-10-06 23:35:29 -05:00
|
|
|
|
|
|
|
```
|
2014-10-08 19:29:36 -05:00
|
|
|
# User has to change password in certain days. Default is 90 days.
|
2014-10-06 23:35:29 -05:00
|
|
|
CHANGE_PASSWORD_DAYS = 90
|
|
|
|
|
|
|
|
# MTA will reject user's smtp session with below message. You'd better describe
|
|
|
|
# why user's email was rejected and guide user to change password.
|
|
|
|
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
|
|
|
|
```
|
|
|
|
|
|
|
|
Then restart iRedAPD service.
|
2017-10-17 00:15:18 -05:00
|
|
|
|
|
|
|
## Roundcube plugin: `force_password_change`
|
|
|
|
|
|
|
|
There's a third-party Roundcube plugin can force user to change password.
|
|
|
|
<https://bitbucket.org/wainlake/force_password_change>
|
|
|
|
|
|
|
|
Roundcube will __ALWAYS__ redirect user to `Password` page (offered by official
|
|
|
|
Roundcube plugin password) until user changed the password.
|