1.9 KiB
Force mail user to change password in 90 days
How it works
iRedMail configures Roundcube to store password change date while user changed
their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
vmail
, column mailbox.passwordlastchange
. For LDAP backends, it's stored in
LDAP attribute shadowLastChange
of user account. If user didn't change password
before, or user account is newly created, the password last change date
will be set to 0000-00-00 00:00:00
.
iRedAPD has plugin to force mail users to change password before sending email:
sql_force_change_password_in_days
: for MySQL, MariaDB and PostgreSQL backends.ldap_force_change_password_in_days
: for LDAP backends (OpenLDAP and OpenBSD built-in LDAP serverldapd(8)
).
When user trying to send an email, iRedAPD will invoke these plugin to check password last change date stored in SQL/LDAP and compare it with current date. if password last change date is longer than specified days, this plugin rejects smtp session with specified message.
How to enable iRedAPD plugin
To enable this plugin, please list the plugin name in iRedAPD config file
/opt/iredapd/settings.py
, variable plugins =
. For example:
# For SQL backends
plugins = [..., 'sql_force_change_password_in_days']
# For LDAP backends:
plugins = [..., 'ldap_force_change_password_in_days']
There're two addition settings available for this plugin (it's mentioned in
plugin file /opt/iredapd/plugins/sql_force_change_password_in_days.py
and
/opt/iredapd/plugins/ldap_force_change_password_in_days
):
# User has to change password in 90 days
CHANGE_PASSWORD_DAYS = 90
# MTA will reject user's smtp session with below message. You'd better describe
# why user's email was rejected and guide user to change password.
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
Then restart iRedAPD service.