New doc: force.user.to.change.password.html.
This commit is contained in:
parent
7e562dc4fa
commit
ecd78803ec
|
@ -11,6 +11,7 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to
|
|||
* [Allow insecure POP3/IMAP/SMTP connections without STARTTLS](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/2-allow.insecure.pop3.imap.smtp.connections.md)
|
||||
* [Allow user to send email without authentication](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/allow.user.to.send.email.without.authentication.md)
|
||||
* [Configure Thunderbird as mail client (IMAP, SMTP and global ldap address book)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/configure.thunderbird.md)
|
||||
* [Force mail user to change password in 90 days](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/force.user.to.change.password.md)
|
||||
* [Ignore Trash folder in mailbox quota](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ignore.trash.folder.in.quota.md)
|
||||
* [LDAP: Add an alias domain](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.alias.domain.md)
|
||||
* [LDAP: Add a mail alias account](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.mail.alias.md)
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Force mail user to change password in 90 days
|
||||
|
||||
## How it works
|
||||
iRedMail configures Roundcube to store password change date while user changed
|
||||
their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
|
||||
`vmail`, column `mailbox.passwordlastchange`. For LDAP backends, it's stored in
|
||||
LDAP attribute `shadowLastChange` of user account. If user didn't change password
|
||||
before, or user account is newly created, the password last change date
|
||||
will be set to `0000-00-00 00:00:00`.
|
||||
|
||||
iRedAPD has plugin to force mail users to change password before sending email:
|
||||
|
||||
* `sql_force_change_password_in_days`: for MySQL, MariaDB and PostgreSQL backends.
|
||||
* `ldap_force_change_password_in_days`: for LDAP backends (OpenLDAP and OpenBSD
|
||||
built-in LDAP server `ldapd(8)`).
|
||||
|
||||
When user trying to send an email, iRedAPD will invoke these plugin to
|
||||
check password last change date stored in SQL/LDAP and compare
|
||||
it with current date. if password last change date is longer than specified
|
||||
days, this plugin rejects smtp session with specified message.
|
||||
|
||||
## How to enable iRedAPD plugin
|
||||
|
||||
To enable this plugin, please list the plugin name in iRedAPD config file
|
||||
`/opt/iredapd/settings.py`, variable `plugins =`. For example:
|
||||
|
||||
```python
|
||||
|
||||
# For SQL backends
|
||||
plugins = [..., 'sql_force_change_password_in_days']
|
||||
|
||||
# For LDAP backends:
|
||||
plugins = [..., 'ldap_force_change_password_in_days']
|
||||
```
|
||||
|
||||
There're two addition settings available for this plugin (it's mentioned in
|
||||
plugin file `/opt/iredapd/plugins/sql_force_change_password_in_days.py` and
|
||||
`/opt/iredapd/plugins/ldap_force_change_password_in_days`):
|
||||
|
||||
```
|
||||
# User has to change password in 90 days
|
||||
CHANGE_PASSWORD_DAYS = 90
|
||||
|
||||
# MTA will reject user's smtp session with below message. You'd better describe
|
||||
# why user's email was rejected and guide user to change password.
|
||||
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
|
||||
```
|
||||
|
||||
Then restart iRedAPD service.
|
|
@ -0,0 +1,53 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>Force mail user to change password in 90 days</title>
|
||||
<link href="./css/markdown.css" rel="stylesheet"></head>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<div id="navigation">
|
||||
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
||||
|
||||
// <a href="./index.html">Document Index</a>
|
||||
</div><h1 id="force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</h1>
|
||||
<h2 id="how-it-works">How it works</h2>
|
||||
<p>iRedMail configures Roundcube to store password change date while user changed
|
||||
their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
|
||||
<code>vmail</code>, column <code>mailbox.passwordlastchange</code>. For LDAP backends, it's stored in
|
||||
LDAP attribute <code>shadowLastChange</code> of user account. If user didn't change password
|
||||
before, or user account is newly created, the password last change date
|
||||
will be set to <code>0000-00-00 00:00:00</code>.</p>
|
||||
<p>iRedAPD has plugin to force mail users to change password before sending email:</p>
|
||||
<ul>
|
||||
<li><code>sql_force_change_password_in_days</code>: for MySQL, MariaDB and PostgreSQL backends.</li>
|
||||
<li><code>ldap_force_change_password_in_days</code>: for LDAP backends (OpenLDAP and OpenBSD
|
||||
built-in LDAP server <code>ldapd(8)</code>).</li>
|
||||
</ul>
|
||||
<p>When user trying to send an email, iRedAPD will invoke these plugin to
|
||||
check password last change date stored in SQL/LDAP and compare
|
||||
it with current date. if password last change date is longer than specified
|
||||
days, this plugin rejects smtp session with specified message.</p>
|
||||
<h2 id="how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</h2>
|
||||
<p>To enable this plugin, please list the plugin name in iRedAPD config file
|
||||
<code>/opt/iredapd/settings.py</code>, variable <code>plugins =</code>. For example:</p>
|
||||
<pre><code class="python">
|
||||
# For SQL backends
|
||||
plugins = [..., 'sql_force_change_password_in_days']
|
||||
|
||||
# For LDAP backends:
|
||||
plugins = [..., 'ldap_force_change_password_in_days']
|
||||
</code></pre>
|
||||
|
||||
<p>There're two addition settings available for this plugin (it's mentioned in
|
||||
plugin file <code>/opt/iredapd/plugins/sql_force_change_password_in_days.py</code> and
|
||||
<code>/opt/iredapd/plugins/ldap_force_change_password_in_days</code>):</p>
|
||||
<pre><code># User has to change password in 90 days
|
||||
CHANGE_PASSWORD_DAYS = 90
|
||||
|
||||
# MTA will reject user's smtp session with below message. You'd better describe
|
||||
# why user's email was rejected and guide user to change password.
|
||||
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
|
||||
</code></pre>
|
||||
|
||||
<p>Then restart iRedAPD service.</p><br /><p>If you found something wrong in this document, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p></body></html>
|
|
@ -24,6 +24,7 @@
|
|||
<li><a href="allow.insecure.pop3.imap.smtp.connections.html">Allow insecure POP3/IMAP/SMTP connections without STARTTLS</a></li>
|
||||
<li><a href="allow.user.to.send.email.without.authentication.html">Allow user to send email without authentication</a></li>
|
||||
<li><a href="configure.thunderbird.html">Configure Thunderbird as mail client (IMAP, SMTP and global ldap address book)</a></li>
|
||||
<li><a href="force.user.to.change.password.html">Force mail user to change password in 90 days</a></li>
|
||||
<li><a href="ignore.trash.folder.in.quota.html">Ignore Trash folder in mailbox quota</a></li>
|
||||
<li><a href="ldap.add.alias.domain.html">LDAP: Add an alias domain</a></li>
|
||||
<li><a href="ldap.add.mail.alias.html">LDAP: Add a mail alias account</a></li>
|
||||
|
|
Loading…
Reference in New Issue