Topic: Plugin sql_force_change_password Not Enforcing
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version: 1.4.0 PGSQL edition.
- Deployed with downloadable installer
- Linux/BSD distribution name and version: Rocky Linux 8.4
- Store mail accounts in which backend: PSQL
- Web server: NGINX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Greetings,
I'm having some issues with enforcing password changes. I have the plugin enabled in /opt/ired/apd/settings.py:
====
# Log level: info, debug.
log_level = "debug"
...
plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_force_change_password",]
...
# Force to change password in certain days.
CHANGE_PASSWORD_DAYS = 10
# Number set low for testing/debugging
# Reject reason.
# It's recommended to add URL of the web applications which user can login
# to change password in this message. e.g. Roundcube webmail, iRedAdmin-Pro.
CHANGE_PASSWORD_MESSAGE = 'Password expired or never changed, please change your password in webmail before sending email'
# Allow certain users or domains to never change password.
# sample values: ['user@example.com', 'domain.com']
CHANGE_PASSWORD_NEVER_EXPIRE_USERS = []====
I manually set the passwordlastchanged value for this account to Jan of last year. in the database For some reason, the policy is not being enforced on outbound emails (relevant part of iredapd log):
====
Aug 21 16:04:39 mx journal[7370]: iredapd SQL query result: None
Aug 21 16:04:39 mx journal[7370]: iredapd <-- Result: DUNNO
Aug 21 16:04:39 mx journal[7370]: iredapd --> Apply plugin: sql_force_change_password
Aug 21 16:04:39 mx journal[7370]: iredapd SQL to get mailbox.passwordlastchange of sender (XXXX@XXXXXXX.org): SELECT passwordlastchange FROM mailbox WHERE username='XXXX@XXXXXXX.org' LIMIT 1
Aug 21 16:04:39 mx journal[7370]: iredapd Returned SQL Record: (datetime.datetime(2020, 1, 16, 20, 20, 24),)
Aug 21 16:04:39 mx journal[7370]: iredapd Date of password last change: 2020-01-16 20:20:24
Aug 21 16:04:39 mx journal[7370]: iredapd Sender didn't change password in last 10 days.
Aug 21 16:04:39 mx journal[7370]: iredapd <-- Result: None
Aug 21 16:04:39 mx journal[7370]: iredapd Unexpected error: AttributeError("'NoneType' object has no attribute 'startswith'",). Fallback to default action: DUNNO
Aug 21 16:04:39 mx journal[7370]: iredapd Session ended.====
Suspect an issue with the python script but not sure how to work through that, as it's not clear where the error is being thrown.
Here's the config in my /etc/postfix/main.cf (unchanged since install) for reference:
====
# Sender restrictions
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
check_sender_access pcre:/etc/postfix/sender_access.pcre
reject_unknown_sender_domain
# Recipient restrictions
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service inet:127.0.0.1:12340
# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777====
Help/advice appreciated. Everything seems to be configured correctly, it's just not functioning.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
