changing email password for users

[Ovidiu]

anyone able or interested in making a how-to using this plugin: http://squirrelmail.org/plugin_view.php?id=25 for squirrelmail?

seeing squirrelmail comes recommended with ispcfg3 it would be great if users could change their email passwords.

what about the big players here? how do you solve this for your email users?

my few users are upset about not being able to change their passwords :-(

[till]

On most systems the owner of the website (client) manages the passwords for his email accounts and not the email user itself.

[Ovidiu]

ok, I understand that point of view, but still if someone has a couple of minutes, maybe he can check the config file of this plugin?

shouldn't be that hard if one knows where/how passwords are stored for virtualusers

http://pastebin.com/f135629b1

[BorderAmigos]

They are stored (in my case) in the database 'dbispconfig', table 'mail_user', column 'password'. But they are hashed to some obscure value. I have many names accounts that use the same password but in the database they show differently.

[till]

Quote:

Originally Posted by BorderAmigos

They are stored (in my case) in the database 'dbispconfig', table 'mail_user', column 'password'. But they are hashed to some obscure value. I have many names accounts that use the same password but in the database they show differently.

The passwords are encrypted with the default linux encryption and thats not obscure at all. It is a crypt md5 encryption with salt, so the hash is always different to prevent dictionary attacks. Its the same encryption that linux uses for passwprds in the /etc/shadow file.

[BorderAmigos]

All encryption is obscure to someone who knows nothing about encryption , but I've been studying it since the first post and am catching up. Is the 'salt' from ISPConfig or from elsewhere in the Linux system? (sasl?) I'm still studying that part.

edit: (Directly changing the database may mess things up, I'm just experimenting).

For the password to store in the above mentioned database it seems you would choose your PASSWORD and an 8 character salt value SALTSALT then

Code:

$password = '$1$SALTSALT$'.crypt('PASSWORD','$1$SALTSALT$');

or something similar.

What I'm curious about is if then using some php code to change the password in the database, will that automatically be read by ISPConfig, PostFix, Courier, et cetera? Or will it have to wait on a cron job or need some sort of restart or trigger before it goes into effect?

[till]

The salt is a random 8 character value, it should be different for every password.

Quote:

What I'm curious about is if then using some php code to change the password in the database, will that automatically be read by ISPConfig, PostFix, Courier, et cetera? Or will it have to wait on a cron job or need some sort of restart or trigger before it goes into effect?

For courier and smtp and ispconfig it is enough to chnage it in the database. If ispconfig will support other configurations which may need to change config files then it will not be enough to change only the db, in that case also a record will have to be written to the sys_datalog to start the server side processing of the changes.

[freeeeeedy]

for squirrelmail + change_sqlpass
you may need to change these in config.php

$password_encryption = 'PHPCRYPT';
$csp_salt_query = 'SELECT CONCAT(\'$1$\', SUBSTRING(SUBSTRING( PASSWORD , (LENGTH( SUBSTRING_INDEX( PASSWORD , \'$\', 2 ) ) +2 )) FROM 1 FOR 8)) FROM mail_user WHERE email = "%1"';

and remark this
//$csp_salt_static = '';

Hope this help

[klonos]

Does it???

[freeeeeedy]

I think this is a Squirrelmail + change_sqlpass issue

it doesn't related to ISPConfig