Roundcube/Plugin/password

Aus Foxwiki
Version vom 27. August 2023, 12:46 Uhr von Dirkwagner (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Password == * Plugin name: ''password'' This is shipped with Roundcube, so it doesn't need to be installed. You can use either <code>vpopmaild</code> or <code>sql</code> driver (thanks to John D. Trolinger). This plugin provides some driver to enforce the password strenght and I tryied <code>zxcvbn</code> with no success. Fortunately Tony Fung explained in a comment how to patch the plugin to use <code>cracklib</code> as a password strenght library.…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)

Password

  • Plugin name: password

This is shipped with Roundcube, so it doesn't need to be installed. You can use either vpopmaild or sql driver (thanks to John D. Trolinger).

This plugin provides some driver to enforce the password strenght and I tryied zxcvbn with no success. Fortunately Tony Fung explained in a comment how to patch the plugin to use cracklib as a password strenght library. If you want to use this approach read below.

Choosing the vpopmaild driver

# cd plugins/password
# cp -p config.inc.php.dist config.inc.php
# nano config.inc.php

$config['password_driver'] = 'vpopmaild';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// vpopmaild Driver options
// -----------------------
// The host which changes the password
$config['password_vpopmaild_host'] = '<mail-server-IP>';

// TCP port used for vpopmaild connections
$config['password_vpopmaild_port'] = 89;

Remember to replace <mail-server-IP> with the IP address of your MTA (generally localhost).

Choosing the sql driver

// We have MYSQL for our VPOPMAIL DATABASE so we use the sql driver
$config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
// We have a VPOPMAIL DB  and the database and table name is vpopmail
$config['password_db_dsn'] =
'mysql://vpopmail:YOURPASSWORDGOESHERE@<mysql-IP>/vpopmail';

// The username and domainname are different columns JDT
$config['password_query'] = 'UPDATE vpopmail set
pw_passwd=ENCRYPT(%p,concat("$1$",right(md5(rand()),8 ),"$")),
  pw_clear_passwd=%p where pw_name=%l and pw_domain=%d';

// VPOPMAIL uses salted hash so md5 JDT
$config['password_crypt_hash'] = 'md5';

Here <mysql-IP> is the IP address of your sql server (put localhost if qmail and sql servers share the same IP).

Cracklib patch

You may want to patch the plugin to gain cracklib's security benefits (thanks to Tony Fung for the patch), so that both roundcube and qmailadmin share the same password check system:

cd /var/www/roundcube
wget https://notes.sagredo.eu/files/qmail/patches/roundcube/cracklib-roundcube_pwd_plugin.patch
patch -p1 < cracklib-roundcube_pwd_plugin.patch

Be aware that the cracklib library must be installed as already explained in the qmailadmin's page. You also have to remove exec from disable_functions in your php.ini.