53 lines
2.8 KiB
HTML
53 lines
2.8 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Force mail user to change password in 90 days</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</h1>
|
|
<h2 id="how-it-works">How it works</h2>
|
|
<p>iRedMail configures Roundcube to store password change date while user changed
|
|
their password. For MySQL/MariaDB/PostgreSQL backends, it's stored in SQL database
|
|
<code>vmail</code>, column <code>mailbox.passwordlastchange</code>. For LDAP backends, it's stored in
|
|
LDAP attribute <code>shadowLastChange</code> of user account. If user didn't change password
|
|
before, or user account is newly created, the password last change date
|
|
will be set to <code>0000-00-00 00:00:00</code>.</p>
|
|
<p>iRedAPD has plugin to force mail users to change password before sending email:</p>
|
|
<ul>
|
|
<li><code>sql_force_change_password_in_days</code>: for MySQL, MariaDB and PostgreSQL backends.</li>
|
|
<li><code>ldap_force_change_password_in_days</code>: for LDAP backends (OpenLDAP and OpenBSD
|
|
built-in LDAP server <code>ldapd(8)</code>).</li>
|
|
</ul>
|
|
<p>When user trying to send an email, iRedAPD will invoke these plugin to
|
|
check password last change date stored in SQL/LDAP and compare
|
|
it with current date. if password last change date is longer than specified
|
|
days, this plugin rejects smtp session with specified message.</p>
|
|
<h2 id="how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</h2>
|
|
<p>To enable this plugin, please list the plugin name in iRedAPD config file
|
|
<code>/opt/iredapd/settings.py</code>, variable <code>plugins =</code>. For example:</p>
|
|
<pre><code class="python">
|
|
# For SQL backends
|
|
plugins = [..., 'sql_force_change_password_in_days']
|
|
|
|
# For LDAP backends:
|
|
plugins = [..., 'ldap_force_change_password_in_days']
|
|
</code></pre>
|
|
|
|
<p>There're two addition settings available for this plugin (it's mentioned in
|
|
plugin file <code>/opt/iredapd/plugins/sql_force_change_password_in_days.py</code> and
|
|
<code>/opt/iredapd/plugins/ldap_force_change_password_in_days</code>):</p>
|
|
<pre><code># User has to change password in 90 days
|
|
CHANGE_PASSWORD_DAYS = 90
|
|
|
|
# MTA will reject user's smtp session with below message. You'd better describe
|
|
# why user's email was rejected and guide user to change password.
|
|
CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
|
|
</code></pre>
|
|
|
|
<p>Then restart iRedAPD service.</p><br /><p>If you found something wrong in this document, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p></body></html> |