1

Topic: Force mail user to change password plugin not working

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: Ubunu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi

It is mandatory for all users to change their password after 90 days. Everything worked for more than two years.
After one of the updates, I found that there was no password change.

in opt/iredapd/settings.py "ldap_force_change_password" is enabled.

For test purposes - "Change_Password_days=5"

Plugin not working.

Any suggestions?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Force mail user to change password plugin not working

The parameter name is case SeNsItIvE:

CHANGE_PASSWORD_DAYS = 90

3

Re: Force mail user to change password plugin not working

ZhangHuangbin wrote:

The parameter name is case SeNsItIvE:

CHANGE_PASSWORD_DAYS = 90

Yes.
I know.

I copy my setting from opt/iredapd/settings.py

# Enabled plugins.
plugins = [.........., "ldap_force_change_password"]

# User has to change password in certain days. Default is 90 days.
CHANGE_PASSWeORD_DAYS = 5

Five days is only for testing plugin. wink

Any suggestions ?

4

Re: Force mail user to change password plugin not working

platpirs wrote:
ZhangHuangbin wrote:

The parameter name is case SeNsItIvE:

CHANGE_PASSWORD_DAYS = 90

Yes.
I know.

I copy my setting from opt/iredapd/settings.py

# Enabled plugins.
plugins = [.........., "ldap_force_change_password"]

# User has to change password in certain days. Default is 90 days.
CHANGE_PASSWORD_DAYS = 5

Five days is only for testing plugin. wink

Any suggestions ?

5

Re: Force mail user to change password plugin not working

- Which iRedAPD release are you running? Please show me command output: "ls -dl /opt/iredapd".
- Please turn on debug mode in iRedAPD, then trigger the issue and paste me related log lines in /var/log/iredapd/iredapd.log. FYI: https://docs.iredmail.org/debug.iredapd.html

6

Re: Force mail user to change password plugin not working

1) lrwxrwxrwx 1 xxx xxx 11 Nov 14 00:32 /opt/iredapd -> iRedAPD-4.6

2) Log in debug mode after iredapd restart.

Dec 29 16:15:13 mail iredapd LDAP connection initialied success.
Dec 29 16:15:13 mail iredapd LDAP bind success.
Dec 29 16:15:13 mail iredapd Starting iRedAPD (version: 4.6, backend: ldap), listening on 127.0.0.1:7777.
Dec 29 16:15:13 mail iredapd Loading plugin (priority: 100): reject_null_sender
Dec 29 16:15:13 mail iredapd Loading plugin (priority: 99): wblist_rdns
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 90): reject_sender_login_mismatch
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 80): greylisting
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 60): throttle
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 50): ldap_maillist_access_policy
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 40): amavisd_wblist
Dec 29 16:15:14 mail iredapd Loading plugin (priority: 0): ldap_force_change_password
Dec 29 16:15:14 mail iredapd Starting SRS sender rewriting channel, listening on 127.0.0.1:7778
Dec 29 16:15:14 mail iredapd Starting SRS recipient rewriting channel, listening on 127.0.0.1:7779
Dec 29 16:15:23 mail iredapd [policy] request=smtpd_access_policy
Dec 29 16:15:23 mail iredapd [policy] protocol_state=END-OF-MESSAGE
Dec 29 16:15:23 mail iredapd [policy] protocol_name=ESMTP
Dec 29 16:15:23 mail iredapd [policy] client_address=XXXXX
Dec 29 16:15:23 mail iredapd [policy] client_name=unknown
Dec 29 16:15:23 mail iredapd [policy] client_port=XXX
Dec 29 16:15:23 mail iredapd [policy] reverse_client_name=unknown
Dec 29 16:15:23 mail iredapd [policy] server_address=XXXX
Dec 29 16:15:23 mail iredapd [policy] server_port=XXX
Dec 29 16:15:23 mail iredapd [policy] helo_name=mailGWXXX
Dec 29 16:15:23 mail iredapd [policy] sender=XXXX
Dec 29 16:15:23 mail iredapd [policy] recipient=XXXXX
Dec 29 16:15:23 mail iredapd [policy] recipient_count=1
Dec 29 16:15:23 mail iredapd [policy] queue_id=4D4xJq0ZhYz2VRDy
Dec 29 16:15:23 mail iredapd [policy] instance=23b.5feb39fa.f156d.0
Dec 29 16:15:23 mail iredapd [policy] size=5948

Dec 29 16:15:23 mail iredapd [policy] etrn_domain=
Dec 29 16:15:23 mail iredapd [policy] stress=
Dec 29 16:15:23 mail iredapd [policy] sasl_method=
Dec 29 16:15:23 mail iredapd [policy] sasl_username=
Dec 29 16:15:23 mail iredapd [policy] sasl_sender=
Dec 29 16:15:23 mail iredapd [policy] ccert_subject=
Dec 29 16:15:23 mail iredapd [policy] ccert_issuer=
Dec 29 16:15:23 mail iredapd [policy] ccert_fingerprint=
Dec 29 16:15:23 mail iredapd [policy] ccert_pubkey_fingerprint=
Dec 29 16:15:23 mail iredapd [policy] encryption_protocol=TLSv1.3
Dec 29 16:15:23 mail iredapd [policy] encryption_cipher=TLS_AES_256_GCM_SHA384
Dec 29 16:15:23 mail iredapd [policy] encryption_keysize=256
Dec 29 16:15:23 mail iredapd [policy] policy_context=
Dec 29 16:15:23 mail iredapd Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Skip plugin: wblist_rdns (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd --> Apply plugin: throttle
Dec 29 16:15:23 mail iredapd Check sender throttling.
Dec 29 16:15:23 mail iredapd [LDAP] query target domain of given alias domain:XXXX[LDAP] query filter: (&(objectClass=mailDomain)(accountStatus=active)(domainAli$
Dec 29 16:15:23 mail iredapd result: []


Dec 29 16:15:23 mail iredapd [SQL] Query throttle setting: #012        SELECT id, account, priority, period, max_msgs, max_quota, msg_size#012          FROM throttle#012      $
Dec 29 16:15:23 mail iredapd [SQL] Query result: []
Dec 29 16:15:23 mail iredapd No sender throttle setting.
Dec 29 16:15:23 mail iredapd Check recipient throttling.
Dec 29 16:15:23 mail iredapd [LDAP] query target domain of given alias domain: XXXX[LDAP] query filter: (&(objectClass=mailDomain)(accountStatus=active)(domainAlias$
Dec 29 16:15:23 mail iredapd result: []
Dec 29 16:15:23 mail iredapd [SQL] Query throttle setting: #012        SELECT id, account, priority, period, max_msgs, max_quota, msg_size#012          FROM throttle#012      $
Dec 29 16:15:23 mail iredapd [SQL] Query result: []
Dec 29 16:15:23 mail iredapd No recipient throttle setting.
Dec 29 16:15:23 mail iredapd <-- Result: DUNNO
Dec 29 16:15:23 mail iredapd Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Skip plugin: ldap_force_change_password (protocol_state != END-OF-MESSAGE)
Dec 29 16:15:23 mail iredapd Session ended.
Dec 29 16:15:23 mail iredapd [XXXX] END-OF-MESSAGE, XXXX -> XXXX, DUNNO [recipient_count=1, size=5948, process_time=0.0801s]
Dec 29 16:15:23 mail iredapd [SQL] Insert into smtp_sessions: #012        INSERT INTO smtp_sessions (#012            time, time_num,#012            action, reason, instance,#0$
Dec 29 16:16:16 mail iredapd [policy] request=smtpd_access_policy
Dec 29 16:16:16 mail iredapd [policy] protocol_state=END-OF-MESSAGE


Dec 29 16:16:16 mail iredapd [policy] protocol_name=ESMTP
Dec 29 16:16:16 mail iredapd [policy] client_address=XXX
Dec 29 16:16:16 mail iredapd [policy] client_name=unknown
Dec 29 16:16:16 mail iredapd [policy] client_port=XXXX
Dec 29 16:16:16 mail iredapd [policy] reverse_client_name=unknown
Dec 29 16:16:16 mail iredapd [policy] server_address=XXXX
Dec 29 16:16:16 mail iredapd [policy] server_port=XXX
Dec 29 16:16:16 mail iredapd [policy] helo_name=mailGWXXXX
Dec 29 16:16:16 mail iredapd [policy] sender=XXXX
Dec 29 16:16:16 mail iredapd [policy] recipient=XXXXe
Dec 29 16:16:16 mail iredapd [policy] recipient_count=1
Dec 29 16:16:16 mail iredapd [policy] queue_id=4D4xKr6vTtz2VRDy
Dec 29 16:16:16 mail iredapd [policy] instance=23b.5feb3a30.d3f8a.0
Dec 29 16:16:16 mail iredapd [policy] size=3063
Dec 29 16:16:16 mail iredapd [policy] etrn_domain=
Dec 29 16:16:16 mail iredapd [policy] stress=
Dec 29 16:16:16 mail iredapd [policy] sasl_method=
Dec 29 16:16:16 mail iredapd [policy] sasl_username=
Dec 29 16:16:16 mail iredapd [policy] sasl_sender=
Dec 29 16:16:16 mail iredapd [policy] ccert_subject=
Dec 29 16:16:16 mail iredapd [policy] ccert_issuer=
Dec 29 16:16:16 mail iredapd [policy] ccert_fingerprint=


I hope enough with these windows logs.

iredapd.log has a lot of information. wink

Arnis

7

Re: Force mail user to change password plugin not working

Seems you have iRedAPD integration enabled in Postfix "smtpd_end_of_data_restrictions", but not "smtpd_recipient_restrictions =" in /etc/postfix/main.cf. Please enable it again and this should fix it.

8

Re: Force mail user to change password plugin not working

ZhangHuangbin wrote:

Seems you have iRedAPD integration enabled in Postfix "smtpd_end_of_data_restrictions", but not "smtpd_recipient_restrictions =" in /etc/postfix/main.cf. Please enable it again and this should fix it.

I checked /etc/postfix/main.cf config

I see this config


# Sender restrictions
smtpd_sender_restrictions =
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
#    check_sender_access pcre:/etc/postfix/sender_access.pcre

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
   # check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service inet:127.0.0.1:12340


# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777


Isn't everything already enabled?
Or something needs to be changed in the configuration?

Thanks.

Arnis

9

Re: Force mail user to change password plugin not working

platpirs wrote:

smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
   # check_policy_service inet:127.0.0.1:7777

This is "#" mark? Remove it and restart postfix service, it will fix this issue.

10

Re: Force mail user to change password plugin not working

OK.
Thanks.


Arnis