user forgot password or password lost

Discussion in 'Installation/Configuration' started by Sergio Cesar, May 19, 2018.

  1. Sergio Cesar

    Sergio Cesar Member

    How can my users recover a lost or forgot email password?
    I try from the ispconfig 3 login screen using the email address again as the user name and I get this:
    The lost password function is not available for this user.
    What exactly one would enter as user name? or email address? it would not work to send an email with a recovery link to the same address they can not login and a security risk to send to any other not preset email address.
    I have tried the old forgot_password plugin from roundcube But it did not work.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you mix up user passwords with email addresses here as ispconfig client logins are not related to roundcube. The password reset function is for the ispconfig client password, you enter the username of the client here and his email address, the one from client settings, if both match, then he will receive a password reset request.
     
  3. Sergio Cesar

    Sergio Cesar Member

    Perhaps I have mixed it up. if the password reset function is for the the ispconfig user and not email, the question still persists.
    How can my users recover a lost or forgot email password?
    I am evaluating the possibility to move all my customers to ispconfig, some 1000 or so and the most common request is "How do I reset the password" If i dont provide a forgot password link somewhere I will do nothing but reset forgetful people's passwords.
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    unless the client can register email accounts only, he can reset the passwords as he wishes.
    if a user needs a password for his email account from the client, you need to hack a association for yourself and auth as client via api to change password for one of clients email accounts.
    if the client needs his password to login on ISPConfig to change his email account password where he gets his password recovery on,
    you might want to write a solution like described before but using customers paypal email-adress, if any, or ( optional additional field or abusing the outdated icq field ) force clients to enter an external email adress for this cases which is then to be used.
     
  5. Sergio Cesar

    Sergio Cesar Member

    In short.... There is no way for a user to recover a lost or forgotten password unless I hack ispconfig script and write my own?
    I am very surprised that no one ever asked for such common and very necessary feature.
    The only problem in hacking to fit my needs is that potentially every ispconfig update or new version I may have to hack it again and under the gun with users screaming they cant use the feature. :oops:

    Many thanks for the info and ideas. will continue digging here.
     
  6. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    hmm no, you don't need to edit ISPConfig in any way. You can use the API.

    and my term of user in the above reply was: "a site visitor on the hosted paged of one of your customers".
    I don't see where your issue is, really?
     
  7. Sergio Cesar

    Sergio Cesar Member

    My issue is simple. it is a must to provide a way for an email user to recover or reset their email password automatically without admin help.
    One can change passwords via roundcube but no "forgot password link" in the main roundcube page and the plugin available for roundcube that does that does not work on ispconfig.
    You suggest hacking to add the way to do that. unfortunately this is not something I am able to do and maintain.
     
  8. nhybgtvfr

    nhybgtvfr Active Member

    if someone wants their email password reset, they either have an ispconfig login, in which case they can login and change/reset the password themselves anyway.
    or they're part of a company/group and their email admin at their company should have an ispconfig login, and they would ask them to do it for them.
    if they're an individual, and they've used the same domain for their ispconfig account email address as they have configured as their mail domain within ispconfig, then they (and you) have a problem, they should always have an external email address for their ispconfig account, otherwise how do you send them any domain expired/in redemption notices, or invoices, etc if their domain/account expires/gets suspended.
     
  9. Sergio Cesar

    Sergio Cesar Member

    If they cant remember their password what is the change they will remember the ispconfig login and password? that does not work too well and I end up getting calls to reset password. Not practical from the admin point of view, besides the need to enter each email user as a ispconfig user.
    That they have a alternate email address is a must, that is what the Roundcube forgot_password plugin does and it works great, The user have control of their alternate address like yahoo or gmail, they request a reset link it can be setup to send the actual password token. I have implemented on another system and my reset pw calls are zero, thus the suggestion here.
     
  10. swehes

    swehes New Member

    Were you able to figure this problem out? I'm in the same situation where I will sell emails to customers with a specific domain. They won't have access to the ISPConfig, so I need a Forgot Password link.
     
  11. Sergio Cesar

    Sergio Cesar Member

    Nope, I bit disappointed that there is not a fix for it yet. I just stopped using ispconfig for email.
    I can see it would not be a trivial issue as a "Forgot password link" would entail sending a reset link or token somewhere already pre-configured or preset, like another email address or a text to a phone.
    Perhaps this could be implemented together with a 2FA authentication such as a login authentication like the big boys are doing sending a text to a phone.
    Roundcube has a "password" and a "Forgot password" plugins That I use on a iredmail server that if one could get it working on ispconfig it would put a band-aid on the need here.
     
  12. nhybgtvfr

    nhybgtvfr Active Member

    as far as I can see the forgot password plugin hasn't been updated for 9 years, and the password plugin, whilst it has configs for various panels, doesn't have one for ispconfig. I'm not sure it will work, or be easy to change.

    there is an ispconfig password plugin for roundcube, which should already be installed if you're using roundcube with ispconfig. I would guess modifying this and using it as another plugin would be the quickest method to get a password reset function working.
    that would still need the roundcube or ispconfig databases to be changed though, at the very least you'd need another field for the recovery email address, and I guess one to store the reset id to check against the entered url. if roundcube only uses 1 database that's probably the easiest one to use, if roundcube is installed on multiple servers, all using a local database instance then it's probably easiest to modify the master ispconfig database. although you'd need to check that with Till, to make sure those changes don't hurt anything else, and can be replicated to ispconfig slaves if necessary.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the ISPConfig remote API if you want to modify the password of an email account. Do not modify it directly in the database.
     
  14. nhybgtvfr

    nhybgtvfr Active Member

    @till, i'm not sure if that response is aimed at me, or a previous reply.
    yes, the password modification should definitely be done using the api, but there's still going to need to be new database fields required somewhere, whether that's in the ispconfig database, the roundcube database or a new database, as at a minimum a recovery email address, and some time limited reset key/id is going to need to be stored.
    my suggestion for using the roundcube ispconfig password plugin as the basis for a password reset plugin was that most of the required api code/functionality already exists.
     
  15. Sergio Cesar

    Sergio Cesar Member

    I see a password plugin for roundcube, but no place within roundcube to change or click to go change the password, how do I check if the plugin is enabled? I do see configuration files that looks to be OK in the "/var/lib/roundcube/plugins/password" folder but cant really say.
    Till say "Do not modify it directly in the database." so we are left with us supporting every call from every customer that "forgot their password" not scalable or really doable.

    Don't want to step on anyone's foot here but what concerns me is that this issue has been there for many years without a solution leading me to ask the question if ispconfig3 is actively being supported? so many updates and upgrade out there on the OS side that I am afraid I will be stuck with a lot of customers on servers that will break if we update things. This actually happen once when I try to move from ubuntu 16.04 to 18.04 that forced me to make a new install and move all customers from the old servers to the new one. and now 20.04 is about to take off.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Your assumption is nowhere related to what I said. I just said that you should not change passwords in the database directly as this would not work on multiserver systems and results in inconsistencies. Instead of that, use the API to change the password.

    And again, your assumption that ISPConfig might not be supported is completely off-topic and it's dead easy to prove you wrong, simply look at the issue tracker where you can see commits regularly https://git.ispconfig.org/ispconfig/ispconfig3/-/commits/stable-3.1 and in the ISPConfig blog, where you can see that updates are released regularly. That a feature that is not required by most users and not required by anyone who develops ISPConfig has not been implemented is no indication. Most users do not require it as there is a password reset function on the client level and the client is the person that manages the passwords for the email users of his domain, not the ISP, so the ISP support is not contacted for that.

    Then you must have done something wrong during updates, as OS upgrades on Debian and Ubuntu are no problem at all. maybe you should consider contacting Florian from ISPConfig business support to do the next update for you.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    And as a side note, if you run a business with so many accounts and you need a feature for your business in an open-source software, why don't you simply hire a developer, implement that feature and submit it to our git server so it get's part of the ispconfig sources, that way you don't have any issue with updates that you were afraid of in post #5. Or just use the API as I suggested to reset it from RoundCube or whatever email user login you provide for your clients.
     

Share This Page