1 (edited by craig 2018-12-07 16:32:56)

Topic: Password length not being enforced

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi Zhang,

It's unclear to me from https://docs.iredmail.org/iredadmin-pro … olicy.html which "settings.py" file I should edit to set minimum and maximum password lengths. This is what I have on my system:

[08:14:31 root@server ~]# grep passwd_length /var/www/iRedAdmin-0.9/settings.py
#   - min_passwd_length: 0 means unlimited, but at least 1 character
#   - max_passwd_length: 0 means unlimited.
min_passwd_length = 8
max_passwd_length = 0
[08:15:41 root@server ~]# grep passwd_length /var/www/iRedAdmin-Pro-SQL-2.9.0/settings.py
#   - min_passwd_length: 0 means unlimited, but at least 1 character
#   - max_passwd_length: 0 means unlimited.
min_passwd_length = 12
max_passwd_length = 0
[08:15:45 root@server ~]#

In iRedAdmin-Pro I set up every new domain as follows under "Advanced" settings for the domain:

* Minimum password length: 12
* Maximum password length: 0

However, any user can change the minimum password length to 4, for example, defeating the purpose of setting a server-wide minimum!

Also, when I try to change the maximum to 0 (for unlimited), when I click "Save changes" the page reloads with the same old value in the box.

What am I doing wrong? Which "settings.py" file should I be using? And why are the setting in "settings.py" not working?

Before writing this post I ran

systemctl restart uwsgi

to make sure everything was properly set.


Craig

2

Re: Password length not being enforced

As an ordinary user I even tried setting the minimum password length to 1, and it works! Scary!

3

Re: Password length not being enforced

Did you change password in iRedAdmin-Pro self-service or Roundcube/SOGo? They are not related, iRedAdmin-Pro settings does not affect Roundcube and sogo.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

4

Re: Password length not being enforced

I am only referring to what I (the postmaster) and ordinary users can do in iRedAdmin-Pro.

5

Re: Password length not being enforced

I will try to reproduce it locally and come back to you later. smile

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

6

Re: Password length not being enforced

Unfortunately, i can not reproduce this issue locally.
is it possible to give me direct ssh access with root privilege? Contact me: zhb _at_ iredmail _dot_ org

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee