How about reseting a new password for user instead of storing in plain text?
==== Provide basic information to help troubleshoot ====
- iRedMail version:
- Linux/BSD distribution name and version:
- Any related log? Log is helpful for troubleshooting.
Resetting passwords can be helpful, but there are still any number of scenarios where it can be helpful to be able to check what the existing password is:
1. Multiple users share access to an account (in corporate settings, this happens more than you might think). Resetting for one will cause problems for all the others.
2. Multiple device accesses to an account - users get grumpy when they have to change passwords on two desktops and a laptop just because they can't remember the password to set up their iphone email.
3. Migrations from one server to another -- I'm in the middle of this right now (migrating to iredmail ), and if I didn't have the passwords available, it would be a ton more work to migrate the mail.
4. Security scans -- when a hosting client gives us a list of email accounts to set up using a temporary password, it would be helpful to be able to audit how many accounts still have the temporary password - either that, or implement a password expiry feature, or have some field in the database showing the datetime of the last password change. I'd really like to be able to tell clients that if they don't go in and change their password within a month, I'm going to disable the account or reset to a random password.
For the record, I don't think this should be a default -- I'd just like it as an option for those of us who care less about ironclad security than user and administrator ease of use.