iredmail-doc/html_bk/reset.user.password.html

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Reset user password</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><div class="admonition note">
<p class="admonition-title">This tutorial is available in other languages. <a href="https://github.com/iredmail/docs">Help translate more</a></p>
<p><a href="./reset.user.password-zh_CN.html">简体中文</a> /</p>
</div>
<h1 id="reset-user-password">Reset user password</h1>
<div class="toc">
<ul>
<li><a href="#reset-user-password">Reset user password</a><ul>
<li><a href="#reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin(-Pro)</a><ul>
<li><a href="#reset-password-for-one-user">Reset password for one user</a></li>
<li><a href="#reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</a></li>
</ul>
</li>
<li><a href="#reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</a><ul>
<li><a href="#generate-password-hash-for-new-password">Generate password hash for new password</a></li>
<li><a href="#sql-backends">SQL backends</a></li>
<li><a href="#ldap-backends">LDAP backends</a></li>
</ul>
</li>
<li><a href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin(-Pro)</h2>
<h3 id="reset-password-for-one-user">Reset password for one user</h3>
<p>iRedAdmin(-Pro) ships script <code>tools/reset_user_password.py</code> to help you reset
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
<code>/opt/www/iredadmin</code>):</p>
<pre><code>cd /opt/www/iredadmin/tools/
python3 reset_user_password.py user@domain.ltd '123456'
</code></pre>
<p>Sample output:</p>
<pre><code>[user@domain.ltd] Password has been reset.
</code></pre>
<h3 id="reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</h3>
<p>If you need to update many users' passwords, another way is resetting passwords
with script shipped in iRedAdmin-Pro: <code>tools/update_password_in_csv.py</code>. It
reads the user email addresses and NEW passwords from a CSV file.</p>
<p>The content is CSV file is:</p>
<pre><code>&lt;email&gt; &lt;new_password&gt;
</code></pre>
<p>One mail user (and new password) per line. For example, file <code>new_passwords.csv</code>:</p>
<pre><code>user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN
</code></pre>
<p>Then run script with this file:</p>
<pre><code>python3 update_password_in_csv.py new_passwords.csv
</code></pre>
<h2 id="reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</h2>
<h3 id="generate-password-hash-for-new-password">Generate password hash for new password</h3>
<p>Storing password in plain text is dangerous, so we need to hash the password.
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
to decode the password hash to get plain password, this will give you some
time to reset password to prevent mail message leak.</p>
<blockquote>
<ul>
<li>SSHA512 is recommended on Linux systems.</li>
<li>BCRYPT is recommended on BSD systems.</li>
<li>MD5 is not safe, DO NOT USE IT no matter what reasons you have.</li>
</ul>
</blockquote>
<p>To generate password hash for new password, please use <code>doveadm</code> command.</p>
<ul>
<li>Generate a SSHA512 password hash:</li>
</ul>
<pre><code>$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
</code></pre>
<ul>
<li>Generate a BCRYPT password hash on BSD system:</li>
</ul>
<pre><code>$ doveadm pw -s 'blf-crypt' -p '123'
{BLF-CRYPT}$2a$05$9CTW6FZtjHeK6W.2YMmzOeAj2YFvDpP4JEH0uH/YLQI81jPWDtzQW
</code></pre>
<h3 id="sql-backends">SQL backends</h3>
<p>To reset password for user <code>user@domain.ltd</code>, please login to SQL server as
either SQL root user or <code>vmailadmin</code> user (note: sql user <code>vmail</code> has read-only
privilege to <code>vmail</code> database, so you cannot use it to change user password),
then execute SQL commands to reset password:</p>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
</code></pre>
<h3 id="ldap-backends">LDAP backends</h3>
<p>With OpenLDAP backend, you can reset it with <code>ldapvi</code>, phpLDAPadmin or other
LDAP client tools. <code>SSHA512</code> is recommended, but if you have some application
which needs to perform authentication with ldap dn directly, then <code>SSHA</code> is
preferred.</p>
<h2 id="see-also">See also</h2>
<ul>
<li><a href="./password.hashes.html">Password hashes used/supported by iRedMail</a></li>
<li><a href="./promote.user.to.global.admin.html">Promote a mail user to be global admin</a></li>
</ul><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>