Adding support for password expiration. Please read README.password_expiration for more details
parent
c3d3898eb2
commit
e786609aa9
@ -0,0 +1,38 @@
|
|||||||
|
*Description
|
||||||
|
This extension adds support for password expiration.
|
||||||
|
It is designed to have expiration on users passwords. An email is sent when the password is expiring in 30 days, then 14 days, then 7 days.
|
||||||
|
It is strongly inspired by https://abridge2devnull.com/posts/2014/09/29/dovecot-user-password-expiration-notifications-updated-4122015/, and adapted to fit with Postfix Admin & Roundcube's password plugin
|
||||||
|
|
||||||
|
*Installation
|
||||||
|
Perform the following changes:
|
||||||
|
|
||||||
|
**Changes in MySQL/MariaDB mailbox table (as defined in $CONF['database_tables'] from config.inc.php):
|
||||||
|
You are invited to backup your DB first, and ensure the table name is correct.
|
||||||
|
|
||||||
|
Execute the attached SQL script (password_expiration.sql) that will add the required columns. The expiration value for existing users will be set to 90 days. If you want a different value, edit the last line in the script and replace 90 by the required value.
|
||||||
|
|
||||||
|
**Changes in Postfix Admin :
|
||||||
|
To enable password expiration, add the following to your config.inc.php file:
|
||||||
|
$CONF['password_expiration_enabled'] = 'YES';
|
||||||
|
|
||||||
|
Do not forget to set the expiration value (in days)
|
||||||
|
$CONF['password_expiration_value'] = '90';
|
||||||
|
|
||||||
|
All my tests are performed using $CONF['encrypt'] = 'md5crypt';
|
||||||
|
|
||||||
|
**If you are using Roundcube's password plugin, you should also adapt the $config['password_query'] value.
|
||||||
|
I recommend to use:
|
||||||
|
$config['password_query'] = 'UPDATE mailbox SET password=%c, modified=now(),pw_expires_on=now() + interval 90 day, thirty=0,fourteen=0,seven=0 where username=%u';
|
||||||
|
of cource you may adapt to the expected expiration value
|
||||||
|
|
||||||
|
All my tests are performed using $config['password_algorithm'] = 'md5-crypt';
|
||||||
|
|
||||||
|
**Changes in Dovecot (adapt if you use another LDA)
|
||||||
|
Edit dovecot-mysql.conf file, and replace the user_query (and only this one) by this query:
|
||||||
|
user_query = SELECT concat('/var/vmail/', maildir) as home, concat('maildir:/var/vmail/', maildir) as mail, 20001 AS uid, 20001 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1' AND pw_expires_on > now()
|
||||||
|
if course you may require to adapt the uid, gid, maildir and table to your setup
|
||||||
|
|
||||||
|
**Changes in system
|
||||||
|
You need to have a script running on a daily basis to check password expiration and send emails 30, 14 and 7 days before password expiration (script attached: check_mailpass_expiration.sh).
|
||||||
|
Edit the script to adapt the variables to your setup.
|
||||||
|
Ensure the user running check_mailpass_expiration.sh is allowed to access (read-write) your database.
|
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#Adapt to your setup
|
||||||
|
|
||||||
|
POSTFIX_DB="postfix_test"
|
||||||
|
POSTFIX_USER="postfixadmin"
|
||||||
|
POSTFIX_PASSWORD="my_password_is_strong"
|
||||||
|
|
||||||
|
#All the rest should be OK
|
||||||
|
QUERY30DAYS="SELECT username,pw_expires_on FROM mailbox WHERE pw_expires_on > now() + interval 29 DAY AND pw_expires_on < now() + interval 30 day AND thirty = false;"
|
||||||
|
QUERY14DAYS="SELECT username,pw_expires_on FROM mailbox WHERE pw_expires_on > now() + interval 13 DAY AND pw_expires_on < now() + interval 14 day AND fourteen = false;"
|
||||||
|
QUERY7DAYS="SELECT username,pw_expires_on FROM mailbox WHERE pw_expires_on > now() + interval 6 DAY AND pw_expires_on < now() + interval 7 day AND seven = false;"
|
||||||
|
|
||||||
|
function notifyThirtyDays() {
|
||||||
|
mysql -B -u "$POSTFIX_USER" -p"$POSTFIX_PASSWORD" "$POSTFIX_DB" -e "$QUERY30DAYS" | while read -a RESULT; do
|
||||||
|
echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 30 days before expiration notication" -r noreply@eyetech.fr ${RESULT[0]}
|
||||||
|
echo "UPDATE mailbox SET thirty = true WHERE username = '${RESULT[0]}';" | mysql -u postfix postfix_test;done
|
||||||
|
}
|
||||||
|
|
||||||
|
function notifyFourteenDays() {
|
||||||
|
mysql -B -u "$POSTFIX_USER" -p"$POSTFIX_PASSWORD" "$POSTFIX_DB" -e "$QUERY14DAYS" | while read -a RESULT; do
|
||||||
|
echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 14 days before expiration notication" -r noreply@eyetech.fr ${RESULT[0]}
|
||||||
|
echo "UPDATE mailbox SET fourteen = true WHERE username = '${RESULT[0]}';" | mysql -u postfix postfix_test;done
|
||||||
|
}
|
||||||
|
|
||||||
|
function notifySevenDays() {
|
||||||
|
mysql -B -u "$POSTFIX_USER" -p"$POSTFIX_PASSWORD" "$POSTFIX_DB" -e "$QUERY7DAYS" | while read -a RESULT; do
|
||||||
|
echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 7 days before expiraiton notication" -r noreply@eyetech.fr ${RESULT[0]}
|
||||||
|
echo "UPDATE mailbox SET seven = true WHERE username = '${RESULT[0]}';" | mysql -u postfix postfix_test;done
|
||||||
|
}
|
||||||
|
|
||||||
|
notifyThirtyDays # Execute the function for 30 day notices
|
||||||
|
notifyFourteenDays # Execute the function for 14 day notices
|
||||||
|
notifySevenDays # Execute the function for 7 day notices
|
||||||
|
|
@ -0,0 +1,5 @@
|
|||||||
|
ALTER TABLE mailbox ADD COLUMN pw_expires_on TIMESTAMP DEFAULT now() not null;
|
||||||
|
ALTER TABLE mailbox ADD COLUMN thirty boolean not null DEFAULT false;
|
||||||
|
ALTER TABLE mailbox ADD COLUMN fourteen boolean not null DEFAULT false;
|
||||||
|
ALTER TABLE mailbox ADD COLUMN seven boolean not null DEFAULT false;
|
||||||
|
UPDATE mailbox set pw_expires_on = now() + interval 90 day;
|
Loading…
Reference in New Issue