From cfe08d14f53b88e27392b8dca22fc162c5a704bc Mon Sep 17 00:00:00 2001 From: David Goodwin Date: Fri, 29 Jan 2021 21:14:35 +0000 Subject: [PATCH] rename / merge shell script --- DOCUMENTS/Password_Expiration.md | 93 ++++++++++++++++++++++++++++ DOCUMENTS/README.password_expiration | 48 -------------- check_mailpass_expiration.sh | 20 ------ 3 files changed, 93 insertions(+), 68 deletions(-) create mode 100644 DOCUMENTS/Password_Expiration.md delete mode 100644 DOCUMENTS/README.password_expiration delete mode 100644 check_mailpass_expiration.sh diff --git a/DOCUMENTS/Password_Expiration.md b/DOCUMENTS/Password_Expiration.md new file mode 100644 index 00000000..2008d0c1 --- /dev/null +++ b/DOCUMENTS/Password_Expiration.md @@ -0,0 +1,93 @@ +# Description + +This extension adds support for password expiration. +It is designed to have expiration on users passwords. An email is sent when the password is expiring in 30 days, then 14 days, then 7 days. +It is strongly inspired by https://abridge2devnull.com/posts/2014/09/29/dovecot-user-password-expiration-notifications-updated-4122015/, and adapted to fit with Postfix Admin & Roundcube's password plugin + +Expiration unit is day + +Expiration value for domain is set through Postfix Admin GUI + +# Installation + +Password Expiration is merged with PostfixAdmin - so no additional database changes should be necessary. + + +## Database Fields + + * mailbox.password_expiry - timestamp, when the mailbox password expires. + * domain.password_expiry - default duration for when a password will expire + +Changes in MySQL/MariaDB mailbox table (as defined in `$CONF['database_tables']` from config.inc.php): + +## Changes in Postfix Admin : + +To enable password expiration, add the following to your config.inc.php file: + +`$CONF['password_expiration'] = 'YES';` + +## RoundCube Password Plugin + +If you are using Roundcube's password plugin, you should also adapt the `$config['password_query']` value. + +I recommend to use: + +`$config['password_query'] = 'UPDATE mailbox SET password=%c, modified = now(), password_expiry = now() + interval 90 day';` + +of course, you may adapt to the expiration value to suit. + + +## Changes in Dovecot (adapt if you use another LDA) + +Edit dovecot-mysql.conf file, and replace the user_query (and only this one) to be based on this query: + +``` +password_query = SELECT username as user, password, concat('/var/vmail/', maildir) as userdb_var, concat('maildir:/var/vmail/', maildir) as userdb_mail, 20001 as userdb_uid, 20001 as userdb_gid, m.domain FROM mailbox m, domain d where d.domain = m.domain and m.username = '%u' AND m.active = '1' AND (m.password_expiry > now() or d.password_expiry = 0) +``` + + +Of course, you may require to adapt the uid, gid, maildir and table to your setup. + + +## Changes in system + +You need to have a script running on a daily basis to check password expiration and send emails 30, 14 and 7 days before password expiration. An example is given below. + +Edit the script to adapt the variables to your setup. + +This script is using `postfixadmin.my.cnf` to read credentials, which might look a bit like : + +```ini +[client] +user = me +password = secret +host = hostname +``` + +Edit this file to enter a DB user that is allowed to access (read-write) your database. This file should be protected from any user (chmod 400). + +### Expiration Script + +```bash +#!/bin/bash + +#Adapt to your setup + +POSTFIX_DB="postfixadmin" +MYSQL_CREDENTIALS_FILE="postfixadmin.my.cnf" + +REPLY_ADDRESS=noreply@example.com + +# Change this list to change notification times and when ... +for INTERVAL in 30 14 7 +do + LOWER=$(( $INTERVAL - 1 )) + + QUERY="SELECT username,password_expiry FROM mailbox WHERE password_expiry > now() + interval $LOWER DAY AND password_expiry < NOW() + interval $INTERVAL DAY" + + mysql --defaults-extra-file="$MYSQL_CREDENTIALS_FILE" "$POSTFIX_DB" -B -e "$QUERY" | while read -a RESULT ; do + echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 30 days before expiration notication" -r $REPLY_ADDRESS ${RESULT[0]} + done +done + +``` diff --git a/DOCUMENTS/README.password_expiration b/DOCUMENTS/README.password_expiration deleted file mode 100644 index 0f38174e..00000000 --- a/DOCUMENTS/README.password_expiration +++ /dev/null @@ -1,48 +0,0 @@ -*Description - -This extension adds support for password expiration. -It is designed to have expiration on users passwords. An email is sent when the password is expiring in 30 days, then 14 days, then 7 days. -It is strongly inspired by https://abridge2devnull.com/posts/2014/09/29/dovecot-user-password-expiration-notifications-updated-4122015/, and adapted to fit with Postfix Admin & Roundcube's password plugin -Expiration unit is day -Expiration value for domain is set through Postfix Admin GUI - -*Installation - -Perform the following changes: - -**Changes in MySQL/MariaDB mailbox table (as defined in $CONF['database_tables'] from config.inc.php): - -You are invited to backup your DB first, and ensure the table name is correct. - -Execute the attached SQL script (password_expiration.sql) that will add the required columns. The expiration value for existing users will be set to 90 days. If you want a different value, edit line 2 in the script and replace 90 by the required value. - -**Changes in Postfix Admin : - -To enable password expiration, add the following to your config.inc.php file: -$CONF['password_expiration'] = 'YES'; - -All my tests are performed using $CONF['encrypt'] = 'md5crypt'; - -**If you are using Roundcube's password plugin, you should also adapt the $config['password_query'] value. - -I recommend to use: - -$config['password_query'] = 'UPDATE mailbox SET password=%c, modified = now(), password_expiry = now() + interval 90 day'; - -of cource you may adapt to the expected expiration value - -All my tests are performed using $config['password_algorithm'] = 'md5-crypt'; - -**Changes in Dovecot (adapt if you use another LDA) - -Edit dovecot-mysql.conf file, and replace the user_query (and only this one) by this query: - -password_query = SELECT username as user, password, concat('/var/vmail/', maildir) as userdb_var, concat('maildir:/var/vmail/', maildir) as userdb_mail, 20001 as userdb_uid, 20001 as userdb_gid, m.domain FROM mailbox m, domain d where d.domain = m.domain and m.username = '%u' AND m.active = '1' AND (m.password_expiry > now() or d.password_expiry = 0) - -Of course you may require to adapt the uid, gid, maildir and table to your setup - -**Changes in system - -You need to have a script running on a daily basis to check password expiration and send emails 30, 14 and 7 days before password expiration (script attached: check_mailpass_expiration.sh). -Edit the script to adapt the variables to your setup. -This script is using postfixadmin.my.cnf to read credentials. Edit this file to enter a DB user that is allowed to access (read-write) your database. This file should be protected from any user (chmod 400). diff --git a/check_mailpass_expiration.sh b/check_mailpass_expiration.sh deleted file mode 100644 index a7b33728..00000000 --- a/check_mailpass_expiration.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -#Adapt to your setup - -POSTFIX_DB="postfix_test" -MYSQL_CREDENTIALS_FILE="postfixadmin.my.cnf" - -REPLY_ADDRESS=noreply@example.com - -# Change this list to change notification times and when ... -for INTERVAL in 30 14 7 -do - LOWER=$(( $INTERVAL - 1 )) - - QUERY="SELECT username,password_expiry FROM mailbox WHERE password_expiry > now() + interval $LOWER DAY AND password_expiry < NOW() + interval $INTERVAL DAY" - - mysql --defaults-extra-file="$MYSQL_CREDENTIALS_FILE" "$POSTFIX_DB" -B -e "$QUERY" | while read -a RESULT ; do - echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 30 days before expiration notication" -r $REPLY_ADDRESS ${RESULT[0]} - done - -done