iredmail-doc/html/reset.user.password.html

135 lines
6.5 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Reset user password</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="/index.html" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><div class="admonition note">
<p class="admonition-title">This tutorial is available in other languages. <a href="https://bitbucket.org/zhb/iredmail-docs/src">Help translate more</a></p>
<p><a href="./reset.user.password-zh_CN.html">简体中文</a> /</p>
</div>
<h1 id="reset-user-password">Reset user password</h1>
<div class="toc">
<ul>
<li><a href="#reset-user-password">Reset user password</a><ul>
<li><a href="#reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</a><ul>
<li><a href="#generate-password-hash-for-new-password">Generate password hash for new password</a></li>
<li><a href="#sql-backends">SQL backends</a></li>
<li><a href="#ldap-backends">LDAP backends</a></li>
</ul>
</li>
<li><a href="#reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</a><ul>
<li><a href="#reset-password-for-one-user">Reset password for one user</a></li>
<li><a href="#reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</a></li>
</ul>
</li>
<li><a href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</h2>
<h3 id="generate-password-hash-for-new-password">Generate password hash for new password</h3>
<p>Storing password in plain text is dangerous, so we need to hash the password.
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
to decode the password hash to get plain password, this will give you some
time to reset password to prevent mail message leak.</p>
<blockquote>
<ul>
<li>SSHA512 is recommended on Linux systems.</li>
<li>BCRYPT is recommended on BSD systems.</li>
<li>MD5 is not safe, DO NOT USE IT no matter what reasons you have.</li>
</ul>
</blockquote>
<p>To generate password hash for new password, please use <code>doveadm</code> command.</p>
<ul>
<li>Generate a SSHA512 password hash:</li>
</ul>
<pre><code>$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
</code></pre>
<ul>
<li>Generate a BCRYPT password hash on BSD system:</li>
</ul>
<pre><code>$ doveadm pw -s 'blf-crypt' -p '123'
{BLF-CRYPT}$2a$05$9CTW6FZtjHeK6W.2YMmzOeAj2YFvDpP4JEH0uH/YLQI81jPWDtzQW
</code></pre>
<h3 id="sql-backends">SQL backends</h3>
<p>To reset password for user <code>user@domain.ltd</code>, please login to SQL server as
either SQL root user or <code>vmailadmin</code> user (note: sql user <code>vmail</code> has read-only
privilege to <code>vmail</code> database, so you cannot use it to change user password),
then execute SQL commands to reset password:</p>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
</code></pre>
<h3 id="ldap-backends">LDAP backends</h3>
<p>With OpenLDAP backend, you can reset it with <code>ldapvi</code>, phpLDAPadmin or other
LDAP client tools. <code>SSHA512</code> is recommended, but if you have some application
which needs to perform authentication with ldap dn directly, then <code>SSHA</code> is
preferred.</p>
<h2 id="reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</h2>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>iRedAdmin-Pro scripts support both SQL and LDAP backends.</p>
</div>
<h3 id="reset-password-for-one-user">Reset password for one user</h3>
<p>iRedAdmin-Pro ships script <code>tools/reset_user_password.py</code> to help you reset
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
<code>/var/www/iredadmin</code>):</p>
<pre><code>cd /var/www/iredadmin/tools/
python reset_user_password.py user@domain.ltd '123456'
</code></pre>
<p>Sample output:</p>
<pre><code>[user@domain.ltd] Password has been reset.
</code></pre>
<h3 id="reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</h3>
<p>If you need to update many users' passwords, another way is resetting passwords
with script shipped in iRedAdmin-Pro: <code>tools/update_password_in_csv.py</code>. It
reads the user email addresses and NEW passwords from a CSV file.</p>
<p>The content is CSV file is:</p>
<pre><code>&lt;email&gt; &lt;new_password&gt;
</code></pre>
<p>One mail user (and new password) per line. For example, file <code>new_passwords.csv</code>:</p>
<pre><code>user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN
</code></pre>
<p>Then run script with this file:</p>
<pre><code>python update_password_in_csv.py new_passwords.csv
</code></pre>
<h2 id="see-also">See also</h2>
<ul>
<li><a href="./password.hashes.html">Password hashes used/supported by iRedMail</a></li>
<li><a href="./promote.user.to.global.admin.html">Promote a mail user to be global admin</a></li>
</ul><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-3293801-21', 'auto');
ga('send', 'pageview');
</script>
</body></html>