elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/en_US/howto/force.user.to.change.passwo...

66 lines
2.4 KiB
Markdown
Raw Blame History

# Force mail user to change password in 90 days
[TOC]
## How it works
iRedMail configures Roundcube webmail to store last password change date while
user changed password. For MySQL/MariaDB/PostgreSQL backends, it's stored in
SQL database `vmail`, column `mailbox.passwordlastchange`. For LDAP backends,
it's stored in LDAP attribute `shadowLastChange` of user account. If user
didn't change password before, or user account is newly created, the password
last change date will be set to `0000-00-00 00:00:00`.
iRedAPD has plugin to force mail users to change password before sending email:
* `sql_force_change_password`: for SQL backends (MySQL, MariaDB and
PostgreSQL).
* `ldap_force_change_password`: for LDAP backends (OpenLDAP and OpenBSD
built-in LDAP server `ldapd(8)`).
When user trying to send an email, iRedAPD will invoke this plugin to
check password last change date stored in SQL/LDAP and compare
it with current date. if password last change date is longer than specified
days, this plugin rejects smtp session with specified message.
## How to enable iRedAPD plugin
To enable this plugin, please list the plugin name in iRedAPD config file
`/opt/iredapd/settings.py`, variable `plugins =`. For example:
```python
# For SQL backends
plugins = [..., 'sql_force_change_password']
# For LDAP backends:
plugins = [..., 'ldap_force_change_password']
```
There're three optional settings pre-defined in `/opt/iredapd/libs/default_settings.py`,
if you want to change them, please copy the parameter names and set proper values
in `/opt/iredapd/settings.py`:
```
# Force to change password in certain days.
CHANGE_PASSWORD_DAYS = 90
# Reject reason.
# It's recommended to add URL of the web applications which user can login
# to change password in this message. e.g. Roundcube webmail, iRedAdmin-Pro.
CHANGE_PASSWORD_MESSAGE = 'Password expired or never changed, please change your password in webmail before sending email'
# Allow certain users or domains to never change password.
# sample values: ['user@example.com', 'domain.com']
CHANGE_PASSWORD_NEVER_EXPIRE_USERS = []
```
Restarting `iredapd` service is required after changed `/opt/iredapd/settings.py`.
## Roundcube plugin: `force_password_change`
There's a third-party Roundcube plugin can force user to change password.
<https://bitbucket.org/wainlake/force_password_change>
Roundcube will __ALWAYS__ redirect user to `Password` page (offered by official
Roundcube plugin password) until user changed the password.
Reference in New Issue View Git Blame Copy Permalink