diff --git a/README.md b/README.md index d2e05583..0fd50bca 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to * [Allow insecure POP3/IMAP/SMTP connections without STARTTLS](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/2-allow.insecure.pop3.imap.smtp.connections.md) * [Allow user to send email without authentication](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/allow.user.to.send.email.without.authentication.md) * [Configure Thunderbird as mail client (IMAP, SMTP and global ldap address book)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/configure.thunderbird.md) +* [Force mail user to change password in 90 days](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/force.user.to.change.password.md) * [Ignore Trash folder in mailbox quota](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ignore.trash.folder.in.quota.md) * [LDAP: Add an alias domain](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.alias.domain.md) * [LDAP: Add a mail alias account](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.mail.alias.md) diff --git a/howto/force.user.to.change.password.md b/howto/force.user.to.change.password.md new file mode 100644 index 00000000..ae0185b1 --- /dev/null +++ b/howto/force.user.to.change.password.md @@ -0,0 +1,49 @@ +# Force mail user to change password in 90 days + +## How it works +iRedMail configures Roundcube to store password change date while user changed +their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database +`vmail`, column `mailbox.passwordlastchange`. For LDAP backends, it's stored in +LDAP attribute `shadowLastChange` of user account. If user didn't change password +before, or user account is newly created, the password last change date +will be set to `0000-00-00 00:00:00`. + +iRedAPD has plugin to force mail users to change password before sending email: + +* `sql_force_change_password_in_days`: for MySQL, MariaDB and PostgreSQL backends. +* `ldap_force_change_password_in_days`: for LDAP backends (OpenLDAP and OpenBSD + built-in LDAP server `ldapd(8)`). + +When user trying to send an email, iRedAPD will invoke these plugin to +check password last change date stored in SQL/LDAP and compare +it with current date. if password last change date is longer than specified +days, this plugin rejects smtp session with specified message. + +## How to enable iRedAPD plugin + +To enable this plugin, please list the plugin name in iRedAPD config file +`/opt/iredapd/settings.py`, variable `plugins =`. For example: + +```python + +# For SQL backends +plugins = [..., 'sql_force_change_password_in_days'] + +# For LDAP backends: +plugins = [..., 'ldap_force_change_password_in_days'] +``` + +There're two addition settings available for this plugin (it's mentioned in +plugin file `/opt/iredapd/plugins/sql_force_change_password_in_days.py` and +`/opt/iredapd/plugins/ldap_force_change_password_in_days`): + +``` +# User has to change password in 90 days +CHANGE_PASSWORD_DAYS = 90 + +# MTA will reject user's smtp session with below message. You'd better describe +# why user's email was rejected and guide user to change password. +CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/' +``` + +Then restart iRedAPD service. diff --git a/html/force.user.to.change.password.html b/html/force.user.to.change.password.html new file mode 100644 index 00000000..3defb0bf --- /dev/null +++ b/html/force.user.to.change.password.html @@ -0,0 +1,53 @@ + +
+ +iRedMail configures Roundcube to store password change date while user changed
+their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
+vmail
, column mailbox.passwordlastchange
. For LDAP backends, it's stored in
+LDAP attribute shadowLastChange
of user account. If user didn't change password
+before, or user account is newly created, the password last change date
+will be set to 0000-00-00 00:00:00
.
iRedAPD has plugin to force mail users to change password before sending email:
+sql_force_change_password_in_days
: for MySQL, MariaDB and PostgreSQL backends.ldap_force_change_password_in_days
: for LDAP backends (OpenLDAP and OpenBSD
+ built-in LDAP server ldapd(8)
).When user trying to send an email, iRedAPD will invoke these plugin to +check password last change date stored in SQL/LDAP and compare +it with current date. if password last change date is longer than specified +days, this plugin rejects smtp session with specified message.
+To enable this plugin, please list the plugin name in iRedAPD config file
+/opt/iredapd/settings.py
, variable plugins =
. For example:
+# For SQL backends
+plugins = [..., 'sql_force_change_password_in_days']
+
+# For LDAP backends:
+plugins = [..., 'ldap_force_change_password_in_days']
+
+
+There're two addition settings available for this plugin (it's mentioned in
+plugin file /opt/iredapd/plugins/sql_force_change_password_in_days.py
and
+/opt/iredapd/plugins/ldap_force_change_password_in_days
):
# User has to change password in 90 days
+CHANGE_PASSWORD_DAYS = 90
+
+# MTA will reject user's smtp session with below message. You'd better describe
+# why user's email was rejected and guide user to change password.
+CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
+
+
+Then restart iRedAPD service.
If you found something wrong in this document, please do contact us to fix it.