iRedMail configures Roundcube webmail to store last password change date while
user changed password. For MySQL/MariaDB/PostgreSQL backends, it's stored in
mailbox.passwordlastchange. For LDAP backends,
it's stored in LDAP attribute
shadowLastChange of user account. If user
didn't change password before, or user account is newly created, the password
last change date will be set to
iRedAPD has plugin to force mail users to change password before sending email:
sql_force_change_password_in_days: for SQL backends (MySQL, MariaDB and PostgreSQL).
ldap_force_change_password_in_days: for LDAP backends (OpenLDAP and OpenBSD built-in LDAP server
When user trying to send an email, iRedAPD will invoke this plugin to check password last change date stored in SQL/LDAP and compare it with current date. if password last change date is longer than specified days, this plugin rejects smtp session with specified message.
To enable this plugin, please list the plugin name in iRedAPD config file
plugins =. For example:
# For SQL backends plugins = [..., 'sql_force_change_password_in_days'] # For LDAP backends: plugins = [..., 'ldap_force_change_password_in_days']
There're two optional settings you can set in
# User has to change password in certain days. Default is 90 days. CHANGE_PASSWORD_DAYS = 90 # MTA will reject user's smtp session with below message. You'd better describe # why user's email was rejected and guide user to change password. CHANGE_PASSWORD_MESSAGE = 'Please change your password in webmail before sending email: https://xxx/webmail/'
Then restart iRedAPD service.
There's a third-party Roundcube plugin can force user to change password. https://bitbucket.org/wainlake/force_password_change
Roundcube will ALWAYS redirect user to
Password page (offered by official
Roundcube plugin password) until user changed the password.