user forgot password or password lost

How can my users recover a lost or forgot email password?
I try from the ispconfig 3 login screen using the email address again as the user name and I get this:
The lost password function is not available for this user.
What exactly one would enter as user name? or email address? it would not work to send an email with a recovery link to the same address they can not login and a security risk to send to any other not preset email address.
I have tried the old forgot_password plugin from roundcube But it did not work.

 

Perhaps I have mixed it up. if the password reset function is for the the ispconfig user and not email, the question still persists.
How can my users recover a lost or forgot email password?
I am evaluating the possibility to move all my customers to ispconfig, some 1000 or so and the most common request is "How do I reset the password" If i dont provide a forgot password link somewhere I will do nothing but reset forgetful people's passwords.

 

unless the client can register email accounts only, he can reset the passwords as he wishes.
if a user needs a password for his email account from the client, you need to hack a association for yourself and auth as client via api to change password for one of clients email accounts.
if the client needs his password to login on ISPConfig to change his email account password where he gets his password recovery on,
you might want to write a solution like described before but using customers paypal email-adress, if any, or ( optional additional field or abusing the outdated icq field ) force clients to enter an external email adress for this cases which is then to be used.

 

In short.... There is no way for a user to recover a lost or forgotten password unless I hack ispconfig script and write my own?
I am very surprised that no one ever asked for such common and very necessary feature.
The only problem in hacking to fit my needs is that potentially every ispconfig update or new version I may have to hack it again and under the gun with users screaming they cant use the feature.

Many thanks for the info and ideas. will continue digging here.

 

hmm no, you don't need to edit ISPConfig in any way. You can use the API.

and my term of user in the above reply was: "a site visitor on the hosted paged of one of your customers".
I don't see where your issue is, really?

 

My issue is simple. it is a must to provide a way for an email user to recover or reset their email password automatically without admin help.
One can change passwords via roundcube but no "forgot password link" in the main roundcube page and the plugin available for roundcube that does that does not work on ispconfig.
You suggest hacking to add the way to do that. unfortunately this is not something I am able to do and maintain.

 

if someone wants their email password reset, they either have an ispconfig login, in which case they can login and change/reset the password themselves anyway.
or they're part of a company/group and their email admin at their company should have an ispconfig login, and they would ask them to do it for them.
if they're an individual, and they've used the same domain for their ispconfig account email address as they have configured as their mail domain within ispconfig, then they (and you) have a problem, they should always have an external email address for their ispconfig account, otherwise how do you send them any domain expired/in redemption notices, or invoices, etc if their domain/account expires/gets suspended.

 

If they cant remember their password what is the change they will remember the ispconfig login and password? that does not work too well and I end up getting calls to reset password. Not practical from the admin point of view, besides the need to enter each email user as a ispconfig user.
That they have a alternate email address is a must, that is what the Roundcube forgot_password plugin does and it works great, The user have control of their alternate address like yahoo or gmail, they request a reset link it can be setup to send the actual password token. I have implemented on another system and my reset pw calls are zero, thus the suggestion here.

 

Were you able to figure this problem out? I'm in the same situation where I will sell emails to customers with a specific domain. They won't have access to the ISPConfig, so I need a Forgot Password link.

 

Nope, I bit disappointed that there is not a fix for it yet. I just stopped using ispconfig for email.
I can see it would not be a trivial issue as a "Forgot password link" would entail sending a reset link or token somewhere already pre-configured or preset, like another email address or a text to a phone.
Perhaps this could be implemented together with a 2FA authentication such as a login authentication like the big boys are doing sending a text to a phone.
Roundcube has a "password" and a "Forgot password" plugins That I use on a iredmail server that if one could get it working on ispconfig it would put a band-aid on the need here.

 

as far as I can see the forgot password plugin hasn't been updated for 9 years, and the password plugin, whilst it has configs for various panels, doesn't have one for ispconfig. I'm not sure it will work, or be easy to change.

there is an ispconfig password plugin for roundcube, which should already be installed if you're using roundcube with ispconfig. I would guess modifying this and using it as another plugin would be the quickest method to get a password reset function working.
that would still need the roundcube or ispconfig databases to be changed though, at the very least you'd need another field for the recovery email address, and I guess one to store the reset id to check against the entered url. if roundcube only uses 1 database that's probably the easiest one to use, if roundcube is installed on multiple servers, all using a local database instance then it's probably easiest to modify the master ispconfig database. although you'd need to check that with Till, to make sure those changes don't hurt anything else, and can be replicated to ispconfig slaves if necessary.

 

@till, i'm not sure if that response is aimed at me, or a previous reply.
yes, the password modification should definitely be done using the api, but there's still going to need to be new database fields required somewhere, whether that's in the ispconfig database, the roundcube database or a new database, as at a minimum a recovery email address, and some time limited reset key/id is going to need to be stored.
my suggestion for using the roundcube ispconfig password plugin as the basis for a password reset plugin was that most of the required api code/functionality already exists.

 

I see a password plugin for roundcube, but no place within roundcube to change or click to go change the password, how do I check if the plugin is enabled? I do see configuration files that looks to be OK in the "/var/lib/roundcube/plugins/password" folder but cant really say.
Till say "Do not modify it directly in the database." so we are left with us supporting every call from every customer that "forgot their password" not scalable or really doable.

Don't want to step on anyone's foot here but what concerns me is that this issue has been there for many years without a solution leading me to ask the question if ispconfig3 is actively being supported? so many updates and upgrade out there on the OS side that I am afraid I will be stuck with a lot of customers on servers that will break if we update things. This actually happen once when I try to move from ubuntu 16.04 to 18.04 that forced me to make a new install and move all customers from the old servers to the new one. and now 20.04 is about to take off.