Enabling User-Initiated Password Resets with Roundcube on Ubuntu 16.04

Posted on by

Another key problem I’ve encountered on my journey to making a fully-featured mail server is that it is currently impossible for end-users to set their own passwords.

If you’ve followed along. You’ll know that I’ve followed this blog on how to setup a mail server. Please also look at the previous posts that I’ve written that outline how to setup phpmyadmin, or set it up yourself to make things a little easier.

Again, after some googling, I found some instructions that guided me how to allow users to change their own passwords, and modified them to suit.

Firstly, edit /etc/roundcube/config.inc.php
Find the line: $rcmail_config[‘plugins’] = array(‘managesieve’); and change it to:
$rcmail_config[‘plugins’] = array(‘managesieve’,’password’,);
Thus enabling the password plugin. If you restart the apache service (probably not necessary) and log into roundcube, the option to reset your password will be under settings under the password tab.

Next we need to give access to the plugin to the right elevated credentials on the database and give it the right SQL query to use. In order to limit the damage that a malicious person might inflict I’ve decided to make a new user on the database with limited access to ONLY the mailbox/user database and only the power to change password of the single user currently logged in.

Creating a user can be done via phpmyadmin, or if you’ve come this far, by doing it at the command line.

The key point here is to only allow access to the user (mailbox) table in the database. Again, this can be done by using phpmyadmin or if you’re in a hurry by using the the SQL query:

GRANT SELECT (`username`), UPDATE (`password`) ON `mail`.`mailbox` TO ‘THEUSERNAME’@’localhost’;

Next, we need to edit the settings in /etc/roundcube/plugins/password/config.inc.php.

The file is originally empty, so place inside the php brackets:

$config[‘password_driver’] = ‘sql’;
$config[‘password_confirm_current’] = true;
$config[‘password_minimum_length’] = 8;
$config[‘password_require_nonalpha’] = true;
$config[‘password_log’] = false;
$config[‘password_login_exceptions’] = null;
$config[‘password_hosts’] = array(‘localhost’);
$config[‘password_force_save’] = true;
$config[‘password_algorithm’] = ‘md5-crypt’;
// SQL Driver options
$config[‘password_db_dsn’] = ‘mysql://USER:PASSWORD@localhost/mail’;

// SQL Update Query
$config[‘password_query’] = ‘UPDATE mailbox SET password=%P WHERE mailbox.username=%u LIMIT 1’;

And thats it! If you have phpadmin, I suggest you keep a record of the original hashed password of your test user so you can then repair any damage you might do while troubleshooting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.