From 2251c00fb8d3ab2e976cada874a282336ba1e83f Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Tue, 22 Aug 2017 14:33:03 +0200
Subject: [PATCH] disable password reset until it is secure

For some unknown reason, the insecure version of pull request 18 (which
uses easily guessable reset codes) was merged. This commit disables the
password reset until someone makes it secure.

See the comments in https://github.com/postfixadmin/postfixadmin/pull/18
for details.
---
 config.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config.inc.php b/config.inc.php
index 1be94c07..051eb65c 100644
--- a/config.inc.php
+++ b/config.inc.php
@@ -582,9 +582,9 @@ $CONF['create_mailbox_subdirs_hostoptions'] = array();
 
 // Optional:
 // Allows a user to reset his forgotten password with a code sent by email/SMS
-$CONF['forgotten_user_password_reset'] = true;
+$CONF['forgotten_user_password_reset'] = false;  # INSECURE, DO NOT ENABLE! See https://github.com/postfixadmin/postfixadmin/pull/18 for details
 // Allows an admin to reset his forgotten password with a code sent by email/SMS
-$CONF['forgotten_admin_password_reset'] = true;
+$CONF['forgotten_admin_password_reset'] = false;  # INSECURE, DO NOT ENABLE! see https://github.com/postfixadmin/postfixadmin/pull/18 for details
 
 // Clickatell gateway to send SMS code for password reset
 // API type: HTTP