2.4 KiB
Force mail user to change password in 90 days
[TOC]
How it works
iRedMail configures Roundcube webmail to store last password change date while
user changed password. For MySQL/MariaDB/PostgreSQL backends, it's stored in
SQL database vmail
, column mailbox.passwordlastchange
. For LDAP backends,
it's stored in LDAP attribute shadowLastChange
of user account. If user
didn't change password before, or user account is newly created, the password
last change date will be set to 0000-00-00 00:00:00
.
iRedAPD has plugin to force mail users to change password before sending email:
sql_force_change_password
: for SQL backends (MySQL, MariaDB and PostgreSQL).ldap_force_change_password
: for LDAP backends (OpenLDAP and OpenBSD built-in LDAP serverldapd(8)
).
When user trying to send an email, iRedAPD will invoke this plugin to check password last change date stored in SQL/LDAP and compare it with current date. if password last change date is longer than specified days, this plugin rejects smtp session with specified message.
How to enable iRedAPD plugin
To enable this plugin, please list the plugin name in iRedAPD config file
/opt/iredapd/settings.py
, variable plugins =
. For example:
# For SQL backends
plugins = [..., 'sql_force_change_password']
# For LDAP backends:
plugins = [..., 'ldap_force_change_password']
There're three optional settings pre-defined in /opt/iredapd/libs/default_settings.py
,
if you want to change them, please copy the parameter names and set proper values
in /opt/iredapd/settings.py
:
# Force to change password in certain days.
CHANGE_PASSWORD_DAYS = 90
# Reject reason.
# It's recommended to add URL of the web applications which user can login
# to change password in this message. e.g. Roundcube webmail, iRedAdmin-Pro.
CHANGE_PASSWORD_MESSAGE = 'Password expired or never changed, please change your password in webmail before sending email'
# Allow certain users or domains to never change password.
# sample values: ['user@example.com', 'domain.com']
CHANGE_PASSWORD_NEVER_EXPIRE_USERS = []
Restarting iredapd
service is required after changed /opt/iredapd/settings.py
.
Roundcube plugin: force_password_change
There's a third-party Roundcube plugin can force user to change password. https://bitbucket.org/wainlake/force_password_change
Roundcube will ALWAYS redirect user to Password
page (offered by official
Roundcube plugin password) until user changed the password.