elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/en_US/howto/reset.user.password.md

2.9 KiB
Raw Blame History

Reset user password

[TOC]

Reset password with scripts shipped in iRedAdmin(-Pro)

Reset password for one user

iRedAdmin(-Pro) ships script tools/reset_user_password.py to help you reset one user's password. For example, on CentOS 7 (iRedAdmin is installed under /opt/www/iredadmin):

cd /opt/www/iredadmin/tools/
python3 reset_user_password.py user@domain.ltd '123456'

Sample output:

[user@domain.ltd] Password has been reset.

Reset passwords for multiple users with a CSV file

If you need to update many users' passwords, another way is resetting passwords with script shipped in iRedAdmin-Pro: tools/update_password_in_csv.py. It reads the user email addresses and NEW passwords from a CSV file.

The content is CSV file is:

<email> <new_password>

One mail user (and new password) per line. For example, file new_passwords.csv:

user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN

Then run script with this file:

python3 update_password_in_csv.py new_passwords.csv

Reset password with SQL/LDAP command line

Generate password hash for new password

Storing password in plain text is dangerous, so we need to hash the password. In case the SQL/LDAP database was leaked/cracked, cracker still need some time to decode the password hash to get plain password, this will give you some time to reset password to prevent mail message leak.

  • SSHA512 is recommended on Linux systems.
  • BCRYPT is recommended on BSD systems.
  • MD5 is not safe, DO NOT USE IT no matter what reasons you have.

To generate password hash for new password, please use doveadm command.

  • Generate a SSHA512 password hash:
$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
  • Generate a BCRYPT password hash on BSD system:
$ doveadm pw -s 'blf-crypt' -p '123'
{BLF-CRYPT}$2a$05$9CTW6FZtjHeK6W.2YMmzOeAj2YFvDpP4JEH0uH/YLQI81jPWDtzQW

SQL backends

To reset password for user user@domain.ltd, please login to SQL server as either SQL root user or vmailadmin user (note: sql user vmail has read-only privilege to vmail database, so you cannot use it to change user password), then execute SQL commands to reset password:

sql> USE vmail;
sql> UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';

LDAP backends

With OpenLDAP backend, you can reset it with ldapvi, phpLDAPadmin or other LDAP client tools. SSHA512 is recommended, but if you have some application which needs to perform authentication with ldap dn directly, then SSHA is preferred.

See also