if one of our user (mail) lost is password how can i allowed him to recover it by himself ?

Discussion in 'General' started by ledufakademy, Oct 2, 2020.

  1. ledufakademy

    ledufakademy Member HowtoForge Supporter

    I know that panel admin have this option , but is there a way to do that for mail enduser ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    He can log in by using his client account and reset the passwords of the email accounts that he manages.
    ahrasis likes this.
  3. ledufakademy

    ledufakademy Member HowtoForge Supporter

    hello till.
    i know that client (account) can do that, i was asking for user mailbox "account", to reset password.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The client account is responsible for the email accounts he manages and in case one of his own mail users lost the password, he can set a new password for them without having to contact the ISP which runs the server. A mail user can not request a new password as it makes no sense to send him an email with the new password to the account that he can't access because he lost the password of that account.
  5. Volker Mischo

    Volker Mischo New Member

    But this is not compatible with the DSGVO. At the moment you can not use ispconfig for production ! If a mail come in it should get a signature and should be encrypted. In my opinion an email system with one "superuser" as key safe is not allowed AND if this guy has many email users he will spent all his time for managing their passwords! Every email user has to be able to change his password as often as desired. Roundcube is a very poor stopgap. A solution could be: The user can login into the "ispconfig user web surface " and can change his password today( sys_user.passwort )! Is there a possibility to move the password to mail_user.password ? That's it.
  6. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i don't see how this has anything to do with mailbox passwords in any way.

    if someone only has a mailbox in ispconfig the only login credentials they have for the ispconfig interface is their mailbox username and password, and and if they've forgotten their password, they've already lost 50% of the minimum requirements to login.

    i think you're inventing/imagining a direct relationionship between sys_user.passwort and mail_user.password.
    a mail user does not necessarily have a sys_user login or password.

    it is possible a password reset function can be implemented, with them providing just their mailbox username/address but that would require them to have already supplied an alternative/backup/recovery email address in ispconfig (a function that doesn't exist yet, but probably isn't too much work) and for any such request to send a reset link to that secondary email, which will, when followed, authenticate with ispconfig and allow that specific users mailbox password to be changed, another function which doesn't exist yet, and is likely to be a significant amount of work to implement, and also likely to be rendered irrelevant when the mail user inevitably doesn't keep their recovery address up-to-date, and/or loses the recovery mailbox account itself, or also forgets the password on the recovery mailbox.
    ahrasis, Th0m and till like this.
  7. Volker Mischo

    Volker Mischo New Member

    I think you are right but I see 2 challenges: Your requirement first: password forget : maybe - in that case , lack of functionality - the admin has to reset the email password. Second requirement: a ) after the admin has changed the password - OR b) the user has to change the password after 1,2,3 months (DSGVO ) Or c) the user wants to change the password for different reason at any time THEN there has to be an option to do that.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The admin does not have to change lost mail user passwords as the client can do that, no need for the server admin to do that. And if the client loses his ISPConfig password, he can use the password reset function to reset his own password. As mentioned before, this whole topic is not DSGVO related in any way.

    Mail users can change their password at any time on their own in the ISPConfg mail user login.

Share This Page