On Sat, Apr 25, 2009 at 5:32 PM, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx> wrote:
as I have mail server in DMZ, no one can telnet & change password
Can you please *reply* and not forward?
sorry for forwards
>>> I am using squirrelmail as default web mail.
>>> Looking for squirrel alphanumeric password.
>>>
>>> As of now my users keep simple words as their mail password.
>>> Kindly suggest appropriate plugin for the same.
>>>
>>> forgot to mention.
>>> I am using qmail & poppassd for squirrel password change.
>>
>> Some password change plugins allow you to put these restrictions in
>> place. poppassd relies on the system itself to do this, which should
>> be sufficient. So it's not a SquirrelMail issue. Try using the
>> passwd command on the command line - change your password to some
>> simple dictionary word and if it lets you without complaining, then
>> you need to consult your system documentation to find out why it is so
>> poorly configured.
>
> thanks for the reply.
> I understand this is not squirrel's job to prevent users from entering easy
> passwords.
> As I could not find better password change service for qmail I modified
> existing plugin.
You used code from a very out of date code branch. If you use 1.5.x
code, use 1.5.2 (which at some point will have some of these kinds of
checks added to it).
You still don't understand, however, the point that if you run the
poppassd service and it is not verifying password integrity, your
users can simply telnet to it and give themselves a weak password.
as I have mail server in DMZ, no one can telnet & change password
That is, your system is poorly configured and this is a security
weakness. You should fix that and then SquirrelMail wouldn't need to
be touched.
As I mentioned, I could not found better way to get complex password at the backend.
thus preferred to modify squirrel plugin.
Reason I put this on blog / mailing list is to share.
thus preferred to modify squirrel plugin.
Reason I put this on blog / mailing list is to share.
> http://www.linuxreaders.com/2009/04/25/squirrelmail-with-strong-password/
--
Regards
Dhaval Thakar
http://www.linuxreaders.com/
http://www.jigishthakar.com/
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
