53 lines
2.8 KiB
HTML
53 lines
2.8 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Force mail user to change password in 90 days</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</h1>
|
|
<h2 id="how-it-works">How it works</h2>
|
|
<p>iRedMail configures Roundcube webmail to store last password change date while
|
|
user changed password. For MySQL/MariaDB/PostgreSQL backends, it's stored in
|
|
SQL database <code>vmail</code>, column <code>mailbox.passwordlastchange</code>. For LDAP backends,
|
|
it's stored in LDAP attribute <code>shadowLastChange</code> of user account. If user
|
|
didn't change password before, or user account is newly created, the password
|
|
last change date will be set to <code>0000-00-00 00:00:00</code>.</p>
|
|
<p>iRedAPD has plugin to force mail users to change password before sending email:</p>
|
|
<ul>
|
|
<li><code>sql_force_change_password_in_days</code>: for SQL backends (MySQL, MariaDB and
|
|
PostgreSQL).</li>
|
|
<li><code>ldap_force_change_password_in_days</code>: for LDAP backends (OpenLDAP and OpenBSD
|
|
built-in LDAP server <code>ldapd(8)</code>).</li>
|
|
</ul>
|
|
<p>When user trying to send an email, iRedAPD will invoke this plugin to
|
|
check password last change date stored in SQL/LDAP and compare
|
|
it with current date. if password last change date is longer than specified
|
|
days, this plugin rejects smtp session with specified message.</p>
|
|
<h2 id="how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</h2>
|
|
<p>To enable this plugin, please list the plugin name in iRedAPD config file
|
|
<code>/opt/iredapd/settings.py</code>, variable <code>plugins =</code>. For example:</p>
|
|
<pre><code class="python"># For SQL backends
|
|
plugins = [..., 'sql_force_change_password_in_days']
|
|
|
|
# For LDAP backends:
|
|
plugins = [..., 'ldap_force_change_password_in_days']
|
|
</code></pre>
|
|
|
|
<p>There're two optional settings you can set in <code>/opt/iredapd/settings.py</code>:</p>
|
|
<pre><code># User has to change password in certain days. Default is 90 days.
|
|
CHANGE_PASSWORD_DAYS = 90
|
|
|
|
# MTA will reject user's smtp session with below message. You'd better describe
|
|
# why user's email was rejected and guide user to change password.
|
|
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
|
|
</code></pre>
|
|
|
|
<p>Then restart iRedAPD service.</p><br /><p style="text-align: center;">If you found something wrong
|
|
in this document, please do
|
|
<a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p><p style="text-align: center; color: grey;">©© Creative Commons</p></body></html> |