1

Topic: [SOLVED] Feature Request

==== Provide basic information to help troubleshoot ====
- iRedMail version: iRedAdmin-Pro-MySQL-1.3.0
- Linux/BSD distribution name and version: Debian Squeeze (AMD64)
- Any related log? Log is helpful for troubleshooting.
====

For administering corporate email systems, it is often helpful if an admin is able to look up a user's password for them -- probably the most common question I get is "what is my password?". Would it be possible to have an option (maybe on a domain basis) to store a clear password in a separate database field and to be able to view the password for a user? I understand that there is a small security risk here, but sometimes the security risks are mitigated by being able to see passwords -- its hard to audit for weak passwords if you can't view the passwords.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: [SOLVED] Feature Request

How about reseting a new password for user instead of storing in plain text?

3

Re: [SOLVED] Feature Request

ZhangHuangbin wrote:

How about reseting a new password for user instead of storing in plain text?


Is there any way not allowing certain weak passwords i.e. abc12345, abc123, password, domainname123, etc..
If this exists, please let's know how to do it, if not, this could be one of the great features to have iRedMail

4

Re: [SOLVED] Feature Request

ZhangHuangbin wrote:

How about reseting a new password for user instead of storing in plain text?

==== Provide basic information to help troubleshoot ====
- iRedMail version:
- Linux/BSD distribution name and version:
- Any related log? Log is helpful for troubleshooting.
====

Resetting passwords can be helpful, but there are still any number of scenarios where it can be helpful to be able to check what the existing password is:

1. Multiple users share access to an account (in corporate settings, this happens more than you might think). Resetting for one will cause problems for all the others.
2. Multiple device accesses to an account - users get grumpy when they have to change passwords on two desktops and a laptop just because they can't remember the password to set up their iphone email.
3. Migrations from one server to another -- I'm in the middle of this right now (migrating to iredmail smile ), and if I didn't have the passwords available, it would be a ton more work to migrate the mail.
4. Security scans -- when a hosting client gives us a list of email accounts to set up using a temporary password, it would be helpful to be able to audit how many accounts still have the temporary password - either that, or implement a password expiry feature, or have some field in the database showing the datetime of the last password change. I'd really like to be able to tell clients that if they don't go in and change their password within a month, I'm going to disable the account or reset to a random password.

For the record, I don't think this should be a default -- I'd just like it as an option for those of us who care less about ironclad security than user and administrator ease of use.

5

Re: [SOLVED] Feature Request

Hi borthner,

Thanks for your explain, will try to improve it in iRedAdmin-Pro later.

Currently, you can change default password scheme in iRedAdmin-Pro.

  • For OpenLDAP backend, change 'LDAP_DEFAULT_PASSWD_SCHEME' to 'PLAIN' in libs/settings.py.

  • For MySQL backend, change 'SQL_DEFAULT_PASSWD_SCHEME' to 'PLAIN' in libs/settings.py, there's also an addition password control: 'SQL_PASSWD_PREFIX_SCHEME' under 'SQL_DEFAULT_PASSWD_SCHEME'. It's self-documented, please read them carefully.

Restarting Apache service after changing, iRedAdmin-Pro will now store reset passwords or password of newly created users in plain text.

I created an issue to track this feature in iRedAdmin-Pro, feel free to push me to achieve it:
http://code.google.com/p/iredmail/issues/detail?id=70

6

Re: [SOLVED] Feature Request

Hi brothner,

Patch is available for iRedAdmin-Pro-MySQL-1.3.0 here: http://code.google.com/p/iredmail/issues/detail?id=70

It will show an addition checkbox like below, like it?

Create new user:
http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_create.png

Reset user password:
http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_profile_password.png

7

Re: [SOLVED] Feature Request

Looks good -- the only other part that would be helpful would be to show the password on the screen if it is stored as a plain password -- although I can always dig in the database through phpmyadmin when I need to. Ideally, it would be nice to have the Users page for a domain show the passwords for each user where they are stored as {PLAIN} -- this would be helpful for the password auditing functions.

8

Re: [SOLVED] Feature Request

Is this patch carried into the new IRedAdmin-Pro-MySQL versions, or is there a new patch available?

ZhangHuangbin wrote:

Hi brothner,

Patch is available for iRedAdmin-Pro-MySQL-1.3.0 here: http://code.google.com/p/iredmail/issues/detail?id=70

It will show an addition checkbox like below, like it?

Create new user:
http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_create.png

Reset user password:
http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_profile_password.png

9

Re: [SOLVED] Feature Request

borthner wrote:

Is this patch carried into the new IRedAdmin-Pro-MySQL versions, or is there a new patch available?

Available in the latest iRedAdmin-Pro. You must set 'STORE_PASSWORD_IN_PLAIN = True' in libs/settings.py, then it will show you the checkbox "Store password in plain text".