There's no IMAP change password command as far as I know. Eudora et. al. have always used a separate protocol for changing passwords, requiring that "poppassd" be running on the mail server.

http://echelon.pl/pubs/poppassd.html

It uses PAM, so you can use it to change LDAP, system, Samba, etc passwords.

That's probably the best bet for a password change plugin, although it introduces a new server dependency. The only other way I've found of changing passwords via the web (besides direct LDAP queries, which I use) is via an suid root CGI, which would introduce all kinds of bad dependency/configuration/security issues - not something I'd recommend for RC.

-j

On Thu, 2005-12-08 at 08:30 -0500, Geuis Teses wrote:

Is there a mechanism via IMAP that allows for the changing of passwords without shell access? I too would like this feature because trying to service a lot of users is hairy.

Geuis

On 12/8/05, Kari Päivärinta kari.paivarinta@viivatieto.fi wrote:

    Could it be possible to build a change password feature to the
    RoundCube? I have users who don't have (or never will have)
    shell
    access so this is the single most important feature needed to
    change my RounCube to my primary webmail. 

    --
    Kari Päivärinta

I have seen qmailadmin used with qmail (qmail-imap) servers in the past for managing the users of a domain. Is there a chance of perhaps migrating something of this sort into RC? (IE- if you login to RC as postmaster, then you can edit users, etc.)

Besides adding username and passwords, it also maintains "aliases, forwards, mailing lists and auto responders".

http://www.inter7.com/index.php?page=qmailadmin

According to their site, it is compatible with sqwebmail. I wonder what this "compatibility" is.

*Other packages compatible with qmailadmin:*

* vpopmail <http://www.inter7.com/index.php?page=vpopmail> : virtual
  domain package for qmail
* vqregister <http://www.inter7.com/index.php?page=vqregister> : cgi
  email signup program
* vqadmin <http://www.inter7.com/index.php?page=vqadmin> : a system
  wide admin interface. Allows for addition and deletion of domains.
  Supports multiple admins accessing user accounts and domains
* sqwebmail <http://www.courier-mta.org/sqwebmail/> : a hotmail like
  web mail interface by MrSam
* Courier-IMAP <http://www.courier-mta.org/imap/>

Kevin L.

Jeremy Jongsma wrote:

There's no IMAP change password command as far as I know. Eudora et. al. have always used a separate protocol for changing passwords, requiring that "poppassd" be running on the mail server.

http://echelon.pl/pubs/poppassd.html

It uses PAM, so you can use it to change LDAP, system, Samba, etc passwords.

That's probably the best bet for a password change plugin, although it introduces a new server dependency. The only other way I've found of changing passwords via the web (besides direct LDAP queries, which I use) is via an suid root CGI, which would introduce all kinds of bad dependency/configuration/security issues - not something I'd recommend for RC.

-j

On Thu, 2005-12-08 at 08:30 -0500, Geuis Teses wrote:

...

Is there a mechanism via IMAP that allows for the changing of passwords without shell access? I too would like this feature because trying to service a lot of users is hairy.

Geuis

On 12/8/05, *Kari Päivärinta* <kari.paivarinta@viivatieto.fi mailto:kari.paivarinta@viivatieto.fi> wrote:

Could it be possible to build a change password feature to the
RoundCube? I have users who don't have (or never will have) shell
access so this is the single most important feature needed to
change my RounCube to my primary webmail.

--
Kari Päivärinta

-- Jeremy Jongsma jeremy@jongsma.org mailto:jeremy@jongsma.org http://jongsma.org

Hi Kari P?iv?rinta, On Thu, Dec 08, 2005 at 02:09:34PM +0200 you wrote something like:

Could it be possible to build a change password feature to the RoundCube? I have users who don't have (or never will have) shell access so this is the single most important feature needed to change my RounCube to my primary webmail.

I have to say, I don't think that a mail client should have access to change the passwords; it produces an awful lot of dependencies on the server side. Instead, each service should produce their own method of changing passwords in a way which makes sense to their password databases.

C

Craig Webster | t: +44 (0)131 516 8595 | e: craig@xeriom.net Xeriom.NET | f: +44 (0)709 287 1902 | w: http://xeriom.net

I have to say, I don't think that it would be very userfriendly for our customers to have a second separate systems just to change password. "I'm having this great myrandommail.com account which has excellent webmail, but if I want to change my password once a year I have to go to some other passwd.myrandommail.com-site and there I can change my password."

OK, it's not a pure mail client feature, but as webmail for some cases is the only client to access mail it wouldn't do harm if it included the password change option. For example I have mail accounts for my family (yes, grandma too), friends and so on.. I don't want to teach each of them aging from 13 to 80(?) how to use SSH to just change their webmail password. Neither do I see that it would be a good solution for them or to me as an administrator to set up Webmin (or likes) complicated gizmos for such a (seamingly) simple task. And let me quote you here: "I wouldn't trust it to be secure.".

After posting this request I thought more of it and remembered that as RC is using IMAP to connect perhaps remote mailservers there isn't allways the connection to server itself on any other level than IMAP. This makes the password feature seem to be quite obsolete and far fetched to build in this remote mail client. But on the other hand I see the usage just like all my webmail installations where the webmail is running even on the mailserver itself. And I tend to think that more often the system is being used to access "local" mail than remote.

Against these thoughts I find your comment "not a full fledged web/server/email/smtp/spam/virus implementation" a bit unfair as I'm just querying for an obvious and rather (seamingly) simple feature for a system that is going to be the only boundary between my systems (which are taking care of webserver, smtp, spam and virus etc.) and the users who just want to read their email and once a year (atleast, I hope) to change their password. It's shouldn't be an "admin feature" to change your own personal password.

So webmail will be their only system, I'm not going to use any other "webmins". I just wish that it could be somehow implemented within the webmail and if it's not going to be "mainstream" I can make my own modifications there - no problem. I've just learned to keep my own mods as few as possible with openwebmail which is the system I now want to replace because with the quantity of mods I need to be doing there practically disables future updates.

So far RC is very promising and I just love the simplicity of it (versus the few thousand insignificant options of openwebmail that it's trying to thow at simple users face). It's just lacking the password changing feature to get being used for all my noncommercial users. And by the way it's implemented I don't even expect it from it but it would certainly be a bonus.

RC <3

-- Kari

PS: Sorry. :)

phil wrote:

On Thu, 8 Dec 2005 17:16:34 +0000, Craig Webster craig@xeriom.net wrote:

...

Hi Kari P?iv?rinta, On Thu, Dec 08, 2005 at 02:09:34PM +0200 you wrote something like:

...

Could it be possible to build a change password feature to the RoundCube? I have users who don't have (or never will have) shell access so this is the single most important feature needed to change my RounCube to my primary webmail.

I have to say, I don't think that a mail client should have access to change the passwords; it produces an awful lot of dependencies on the

I'm totally in agreement with this, Roundcubemail is supposed to be a webmail client, not a full fledged web/server/email/smtp/spam/virus implementation, something that Novell's Hula is supposed to be; it's a webmail client, and the best one out there yet IMHO. Look at the about page: http://www.roundcube.net/?p=about there's nothing on there that says it wants to be anything more, and I for one hope that doesn't change, the focus should be on useabilty and functionality within a client webmail realm; not OS level functions. If you want/need to change user passwords, I'd recomment something like Webmin - or some homegrown password change webpage, though I wouldn't trust it to be secure. I dont' think Roundcube is ready to jump into any Corp environments, so I don't see a need to do anything beyond that yet. I would hope in the future that they're be a sep project, an admin gateway that would compliment Roundcube - but again, with all the backends being so disparate, who k nows how many functions it would have to cover. Again, I don't want those admin features in a web client, but would see it being a sep/complimentary project.

P

http://fak3r.com - you don't have to kick it

From my point of view, RC NEVER should do something like this for regular

users. Only an administrator (when an admin interface is implemented) should do that.

If that feature is required, it should be implemented as a plugpin with direct access to the database.

Regards,

-- Andres Jimenez

I don´t use Cpanel, but Direct Admin. An alternative -very good indeed- to Cpanel...

Geuis Teses geuis.teses@gmail.com wrote: As a bit of a poll, how many people on this list using roundcube have Cpanel as a backend? i.e. this is how you manage your user accounts and passwords.

On 12/9/05, Andres Jimenez gandresin@gmail.com wrote: From my point of view, RC NEVER should do something like this for regular users. Only an administrator (when an admin interface is implemented) should do that.

If that feature is required, it should be implemented as a plugpin with direct access to the database.

Regards,

Why is this thread going that way? Some day, there will be an option to add your own plugins/addons/or so.

IMHO what will be useful, or not, this should be always my or yours decision, so I why not just leave it?

pozdrawiam

Wojtek

Kari I appreciate your response and hope you understand that my viewpoint is in no way a personal attack towards you, just ideas on how I think RC should develop. I understand your concerns of supporting your clients, and how "other" webmail solutions provide password changing - however I don't think RC should have a feature just because others do. My feeling is there's a lot more important core things that need to be addressed, while there are secure web-based passwd changing utilities out there.

http://www.unicom.com/sw/web-chpass/ http://changepassword.sourceforge.net/ http://www.wagemakers.be/english/programs/cgipaf http://freshmeat.net/projects/cypr/

If I were you I'd grab one of those, (this one looks the simplest and most complete: http://changepassword.sourceforge.net/img1.jpg) get it working, copy the code out of the working page, copy RC's login page, rework it with the passwd-changing code - then create a link under 'Personal Settings' to point to your new page. That would solve your concerns of user experience, as well as security. Then you could release it as a patch or plugin for others to try.

I'm in complete agreement that other wemail projects (openwebmail and squirrelmail) has suffered from way too many plugin options, but I approve of how none of them are included in the default install (squirrelmail), they're all option and they change in response to the project - the project doesn't change in response to the plugins.

P

On Fri, 09 Dec 2005 10:22:54 +0200, Kari Päivärinta kari.paivarinta@vtoasp.net wrote:

I have to say, I don't think that it would be very userfriendly for our customers to have a second separate systems just to change password. "I'm having this great myrandommail.com account which has excellent webmail, but if I want to change my password once a year I have to go to some other passwd.myrandommail.com-site and there I can change my password."

OK, it's not a pure mail client feature, but as webmail for some cases is the only client to access mail it wouldn't do harm if it included the password change option. For example I have mail accounts for my family (yes, grandma too), friends and so on.. I don't want to teach each of them aging from 13 to 80(?) how to use SSH to just change their webmail password. Neither do I see that it would be a good solution for them or to me as an administrator to set up Webmin (or likes) complicated gizmos for such a (seamingly) simple task. And let me quote you here: "I wouldn't trust it to be secure.".

After posting this request I thought more of it and remembered that as RC is using IMAP to connect perhaps remote mailservers there isn't allways the connection to server itself on any other level than IMAP. This makes the password feature seem to be quite obsolete and far fetched to build in this remote mail client. But on the other hand I see the usage just like all my webmail installations where the webmail is running even on the mailserver itself. And I tend to think that more often the system is being used to access "local" mail than remote.

Against these thoughts I find your comment "not a full fledged web/server/email/smtp/spam/virus implementation" a bit unfair as I'm just querying for an obvious and rather (seamingly) simple feature for a system that is going to be the only boundary between my systems (which are taking care of webserver, smtp, spam and virus etc.) and the users who just want to read their email and once a year (atleast, I hope) to change their password. It's shouldn't be an "admin feature" to change your own personal password.

So webmail will be their only system, I'm not going to use any other "webmins". I just wish that it could be somehow implemented within the webmail and if it's not going to be "mainstream" I can make my own modifications there - no problem. I've just learned to keep my own mods as few as possible with openwebmail which is the system I now want to replace because with the quantity of mods I need to be doing there practically disables future updates.

So far RC is very promising and I just love the simplicity of it (versus the few thousand insignificant options of openwebmail that it's trying to thow at simple users face). It's just lacking the password changing feature to get being used for all my noncommercial users. And by the way it's implemented I don't even expect it from it but it would certainly be a bonus.

RC <3

-- Kari

PS: Sorry. :)

phil wrote:

...

On Thu, 8 Dec 2005 17:16:34 +0000, Craig Webster craig@xeriom.net

wrote:

...

...

Hi Kari P?iv?rinta, On Thu, Dec 08, 2005 at 02:09:34PM +0200 you wrote something like:

...

Could it be possible to build a change password feature to the RoundCube? I have users who don't have (or never will have) shell access so this is the single most important feature needed to change my RounCube to my primary webmail.

I have to say, I don't think that a mail client should have access to change the passwords; it produces an awful lot of dependencies on the

I'm totally in agreement with this, Roundcubemail is supposed to be a

webmail client, not a full fledged web/server/email/smtp/spam/virus implementation, something that Novell's Hula is supposed to be; it's a webmail client, and the best one out there yet IMHO. Look at the about page: http://www.roundcube.net/?p=about there's nothing on there that says it wants to be anything more, and I for one hope that doesn't change, the focus should be on useabilty and functionality within a client webmail realm; not OS level functions. If you want/need to change user passwords, I'd recomment something like Webmin - or some homegrown password change webpage, though I wouldn't trust it to be secure. I dont' think Roundcube is ready to jump into any Corp environments, so I don't see a need to do anything beyond that yet. I would hope in the future that they're be a sep project, an admin gateway that would compliment Roundcube - but again, with all the backends being so disparate, who k

...

nows how many functions it would have to cover. Again, I don't want

those admin features in a web client, but would see it being a sep/complimentary project.

...

P

http://fak3r.com - you don't have to kick it

-- http://fak3r.com - you don't have to kick it

Amen!

I think everybody agrees that things like

• mail-filters (procmail, maildrop, ...)
• spam-filtering (spamassassin, razor, pyzor, dcc, ...)
• changing passwords (mysql, pgsql, pam, unix, ldap, radius, active

directory, edirectory, ...)

• multiple mailaccounts (fetchmail, gotmail, fetchyahoo, rss2email)
• viewing the weather and traffic
• calendar
• quota's
• new user registration
• advertisements

should all be implemented (preferrably just as frontends) in plugins, and not all be part of the core of RoundCube. (Almost) all of these things are great additions, don't get me wrong, but not for the core.

As far as I know, somebody is working already on a plugin-api. As soon as that hits it's alpha stage, things like this could be implemented, at least as "a proof of concept" of the plugin-api.

Just my 2 cents... :-)

phil schreef:

On Thu, 8 Dec 2005 17:16:34 +0000, Craig Webster craig@xeriom.net wrote:

...

Hi Kari P?iv?rinta, On Thu, Dec 08, 2005 at 02:09:34PM +0200 you wrote something like:

...

Could it be possible to build a change password feature to the RoundCube? I have users who don't have (or never will have) shell access so this is the single most important feature needed to change my RounCube to my primary webmail.

I have to say, I don't think that a mail client should have access to change the passwords; it produces an awful lot of dependencies on the

I'm totally in agreement with this, Roundcubemail is supposed to be a webmail client, not a full fledged web/server/email/smtp/spam/virus implementation, something that Novell's Hula is supposed to be; it's a webmail client, and the best one out there yet IMHO. Look at the about page: http://www.roundcube.net/?p=about there's nothing on there that says it wants to be anything more, and I for one hope that doesn't change, the focus should be on useabilty and functionality within a client webmail realm; not OS level functions. If you want/need to change user passwords, I'd recomment something like Webmin - or some homegrown password change webpage, though I wouldn't trust it to be secure. I dont' think Roundcube is ready to jump into any Corp environments, so I don't see a need to do anything beyond that yet. I would hope in the future that they're be a sep project, an admin gateway that would compliment Roundcube - but again, with all the backends being so disparate, who k nows how many functions it would have to cover. Again, I don't want those admin features in a web client, but would see it being a sep/complimentary project.

P

http://fak3r.com - you don't have to kick it

this isn't real promising:

dlg@scotty:~$ telnet lists.roundcube.net 25 Trying 195.159.29.201... Connected to lists.roundcube.net. Escape character is '^]'. 220 mail.maildialog.com ESMTP helo a 250 mail.maildialog.com mail from: dlg@foo.org 250 ok rcpt to: dev@lists.roundcube.net 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)