From ecd78803ece98a34651e6db86b01a4868ab6e4fe Mon Sep 17 00:00:00 2001
From: Zhang Huangbin <Zhang Huangbin@localhost>
Date: Tue, 7 Oct 2014 12:35:29 +0800
Subject: [PATCH] New doc: force.user.to.change.password.html.

---
 README.md                               |  1 +
 howto/force.user.to.change.password.md  | 49 +++++++++++++++++++++++
 html/force.user.to.change.password.html | 53 +++++++++++++++++++++++++
 html/index.html                         |  1 +
 4 files changed, 104 insertions(+)
 create mode 100644 howto/force.user.to.change.password.md
 create mode 100644 html/force.user.to.change.password.html

diff --git a/README.md b/README.md
index d2e05583..0fd50bca 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ We're working on migrating [old wiki documents](http://www.iredmail.org/wiki) to
 * [Allow insecure POP3/IMAP/SMTP connections without STARTTLS](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/2-allow.insecure.pop3.imap.smtp.connections.md)
 * [Allow user to send email without authentication](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/allow.user.to.send.email.without.authentication.md)
 * [Configure Thunderbird as mail client (IMAP, SMTP and global ldap address book)](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/configure.thunderbird.md)
+* [Force mail user to change password in 90 days](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/force.user.to.change.password.md)
 * [Ignore Trash folder in mailbox quota](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ignore.trash.folder.in.quota.md)
 * [LDAP: Add an alias domain](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.alias.domain.md)
 * [LDAP: Add a mail alias account](https://bitbucket.org/zhb/docs.iredmail.org/src/default/howto/ldap.add.mail.alias.md)
diff --git a/howto/force.user.to.change.password.md b/howto/force.user.to.change.password.md
new file mode 100644
index 00000000..ae0185b1
--- /dev/null
+++ b/howto/force.user.to.change.password.md
@@ -0,0 +1,49 @@
+# Force mail user to change password in 90 days
+
+## How it works
+iRedMail configures Roundcube to store password change date while user changed
+their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
+`vmail`, column `mailbox.passwordlastchange`. For LDAP backends, it's stored in
+LDAP attribute `shadowLastChange` of user account. If user didn't change password
+before, or user account is newly created, the password last change date
+will be set to `0000-00-00 00:00:00`.
+
+iRedAPD has plugin to force mail users to change password before sending email:
+
+* `sql_force_change_password_in_days`: for MySQL, MariaDB and PostgreSQL backends.
+* `ldap_force_change_password_in_days`: for LDAP backends (OpenLDAP and OpenBSD
+  built-in LDAP server `ldapd(8)`).
+
+When user trying to send an email, iRedAPD will invoke these plugin to 
+check password last change date stored in SQL/LDAP and compare
+it with current date. if password last change date is longer than specified
+days, this plugin rejects smtp session with specified message.
+
+## How to enable iRedAPD plugin
+
+To enable this plugin, please list the plugin name in iRedAPD config file
+`/opt/iredapd/settings.py`, variable `plugins =`. For example:
+
+```python
+
+# For SQL backends
+plugins = [..., 'sql_force_change_password_in_days']
+
+# For LDAP backends:
+plugins = [..., 'ldap_force_change_password_in_days']
+```
+
+There're two addition settings available for this plugin (it's mentioned in
+plugin file `/opt/iredapd/plugins/sql_force_change_password_in_days.py` and
+`/opt/iredapd/plugins/ldap_force_change_password_in_days`):
+
+```
+# User has to change password in 90 days
+CHANGE_PASSWORD_DAYS = 90
+
+# MTA will reject user's smtp session with below message. You'd better describe
+# why user's email was rejected and guide user to change password.
+CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
+```
+
+Then restart iRedAPD service.
diff --git a/html/force.user.to.change.password.html b/html/force.user.to.change.password.html
new file mode 100644
index 00000000..3defb0bf
--- /dev/null
+++ b/html/force.user.to.change.password.html
@@ -0,0 +1,53 @@
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <title>Force mail user to change password in 90 days</title>
+        <link href="./css/markdown.css" rel="stylesheet"></head>
+    </head>
+    <body>
+    
+    <div id="navigation">
+        <a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
+    
+        // <a href="./index.html">Document Index</a>
+    </div><h1 id="force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</h1>
+<h2 id="how-it-works">How it works</h2>
+<p>iRedMail configures Roundcube to store password change date while user changed
+their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
+<code>vmail</code>, column <code>mailbox.passwordlastchange</code>. For LDAP backends, it's stored in
+LDAP attribute <code>shadowLastChange</code> of user account. If user didn't change password
+before, or user account is newly created, the password last change date
+will be set to <code>0000-00-00 00:00:00</code>.</p>
+<p>iRedAPD has plugin to force mail users to change password before sending email:</p>
+<ul>
+<li><code>sql_force_change_password_in_days</code>: for MySQL, MariaDB and PostgreSQL backends.</li>
+<li><code>ldap_force_change_password_in_days</code>: for LDAP backends (OpenLDAP and OpenBSD
+  built-in LDAP server <code>ldapd(8)</code>).</li>
+</ul>
+<p>When user trying to send an email, iRedAPD will invoke these plugin to 
+check password last change date stored in SQL/LDAP and compare
+it with current date. if password last change date is longer than specified
+days, this plugin rejects smtp session with specified message.</p>
+<h2 id="how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</h2>
+<p>To enable this plugin, please list the plugin name in iRedAPD config file
+<code>/opt/iredapd/settings.py</code>, variable <code>plugins =</code>. For example:</p>
+<pre><code class="python">
+# For SQL backends
+plugins = [..., 'sql_force_change_password_in_days']
+
+# For LDAP backends:
+plugins = [..., 'ldap_force_change_password_in_days']
+</code></pre>
+
+<p>There're two addition settings available for this plugin (it's mentioned in
+plugin file <code>/opt/iredapd/plugins/sql_force_change_password_in_days.py</code> and
+<code>/opt/iredapd/plugins/ldap_force_change_password_in_days</code>):</p>
+<pre><code># User has to change password in 90 days
+CHANGE_PASSWORD_DAYS = 90
+
+# MTA will reject user's smtp session with below message. You'd better describe
+# why user's email was rejected and guide user to change password.
+CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
+</code></pre>
+
+<p>Then restart iRedAPD service.</p><br /><p>If you found something wrong in this document, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p></body></html>
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index de80d61a..e8d6178d 100644
--- a/html/index.html
+++ b/html/index.html
@@ -24,6 +24,7 @@
 <li><a href="allow.insecure.pop3.imap.smtp.connections.html">Allow insecure POP3/IMAP/SMTP connections without STARTTLS</a></li>
 <li><a href="allow.user.to.send.email.without.authentication.html">Allow user to send email without authentication</a></li>
 <li><a href="configure.thunderbird.html">Configure Thunderbird as mail client (IMAP, SMTP and global ldap address book)</a></li>
+<li><a href="force.user.to.change.password.html">Force mail user to change password in 90 days</a></li>
 <li><a href="ignore.trash.folder.in.quota.html">Ignore Trash folder in mailbox quota</a></li>
 <li><a href="ldap.add.alias.domain.html">LDAP: Add an alias domain</a></li>
 <li><a href="ldap.add.mail.alias.html">LDAP: Add a mail alias account</a></li>