1 (edited by craig 2018-12-07 16:32:56)

Topic: Password length not being enforced

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi Zhang,

It's unclear to me from https://docs.iredmail.org/iredadmin-pro … olicy.html which "settings.py" file I should edit to set minimum and maximum password lengths. This is what I have on my system:

[08:14:31 root@server ~]# grep passwd_length /var/www/iRedAdmin-0.9/settings.py
#   - min_passwd_length: 0 means unlimited, but at least 1 character
#   - max_passwd_length: 0 means unlimited.
min_passwd_length = 8
max_passwd_length = 0
[08:15:41 root@server ~]# grep passwd_length /var/www/iRedAdmin-Pro-SQL-2.9.0/settings.py
#   - min_passwd_length: 0 means unlimited, but at least 1 character
#   - max_passwd_length: 0 means unlimited.
min_passwd_length = 12
max_passwd_length = 0
[08:15:45 root@server ~]#

In iRedAdmin-Pro I set up every new domain as follows under "Advanced" settings for the domain:

* Minimum password length: 12
* Maximum password length: 0

However, any user can change the minimum password length to 4, for example, defeating the purpose of setting a server-wide minimum!

Also, when I try to change the maximum to 0 (for unlimited), when I click "Save changes" the page reloads with the same old value in the box.

What am I doing wrong? Which "settings.py" file should I be using? And why are the setting in "settings.py" not working?

Before writing this post I ran

systemctl restart uwsgi

to make sure everything was properly set.


Craig

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Password length not being enforced

As an ordinary user I even tried setting the minimum password length to 1, and it works! Scary!

3

Re: Password length not being enforced

Did you change password in iRedAdmin-Pro self-service or Roundcube/SOGo? They are not related, iRedAdmin-Pro settings does not affect Roundcube and sogo.

4

Re: Password length not being enforced

I am only referring to what I (the postmaster) and ordinary users can do in iRedAdmin-Pro.

5

Re: Password length not being enforced

I will try to reproduce it locally and come back to you later. smile

6

Re: Password length not being enforced

Unfortunately, i can not reproduce this issue locally.
is it possible to give me direct ssh access with root privilege? Contact me: zhb _at_ iredmail _dot_ org

7

Re: Password length not being enforced

Well, I put this down to database gremlins that I have experienced on this installation for some time. I plan to address this by doing a migration to a new Pro server manually. Rather than copying over mail spools and databases as I did the last time, I intend to freeze the old server to all changes, create the users on the new server, then migrate the mail spools using imapsync.

Not that I blame the migration process. My issue is with the lack of an automated upgrade process. Having to manually follow a series of line-by-line instructions is a recipe for disaster, especially if you are doing a bunch in a row ... in my opinion. It's why my installations get so far behind.


Craig

8

Re: Password length not being enforced

craig wrote:

Not that I blame the migration process. My issue is with the lack of an automated upgrade process. Having to manually follow a series of line-by-line instructions is a recipe for disaster, especially if you are doing a bunch in a row ... in my opinion. It's why my installations get so far behind.

If you deploy iRedMail server with iRedMail Easy platform, upgrading is just one click away.
https://www.iredmail.org/easy.html

9

Re: Password length not being enforced

Thanks. Yes, I've looked at Easy and at three times the price it doesn't fit my budget. Sorry.

I suppose a check script to run after an upgrade is not on your list either is it? However, if you did that, it would probably be almost as much work as writing an upgrade script itself.

Speaking of Easy, the big attraction for me *would* be the predictable response times to support tickets. I don't expect five-minute response times on here, even for Pro issues, but (as you know or may remember) I (and others) have waited days for responses to Pro issues. This doesn't seem right for a "Pro" product.

Just my two cents.


Craig

10

Re: Password length not being enforced

craig wrote:

Speaking of Easy, the big attraction for me *would* be the predictable response times to support tickets. I don't expect five-minute response times on here, even for Pro issues, but (as you know or may remember) I (and others) have waited days for responses to Pro issues. This doesn't seem right for a "Pro" product.

Will try to be faster as before. Sorry about this.

11

Re: Password length not being enforced

ZhangHuangbin wrote:

Will try to be faster as before. Sorry about this.

Thanks Zhang.