MailStation Password plugin in Roundcube

[nervik2]

Hi, is there anybody who have solution how to configure password plugin for roundcube, for users who are able to change their password not in DSM but directly in roundcube?

I know that for changing password in terminal can be used synuser command.

Type of driver in this plugin should be probably "chpasswd".

Thank you for your help

 

[jahlives]

Hello and welcome to our forum

there are some plugins around for Roundcube, but I'm not sure if they could work properly. Imho the main problem is that normally RC does not have knowledge of users passwords. RC takes the password as given by user and tries a IMAP login on the server. Depending on the answer from server the login is considered valid or not. So these are local users in that case which means their passwords are handled via /etc/password and /etc/shadow

The problem: local (non root) users can only change their own password via the password command. But as the RC process is running as webserver user (mostly nobody with DS) the process could only change its own password. That's why normally users can only change their pw via the DSM as the DSM process is running as root, so it can change password of every local user.
It depends on the authentication backend. As long as password and shadow are used you need to invoke a process running as root to be able to change passwords. I'm not sure what backend a solution like zarafa uses. Maybe it's a database backend, in that case it could be possible to change passwords in context of the webserver-user (without root rights).
A (imho very dirty) solution could be to set synuser command setuid, change the group of the command to nobody and remove ANY right for others from the command. Then it should be possible to invoke synuser as root even the calling user is non-root (in this case nobody). But again a very very dirty solution!!

By far the cleanest thing would be to seperate mailusers from the local users. This can be achieved by virtual users for postfix (smtp) and dovecot (pop3/imap), but means quite a lot of work on the command line. The advantage is that mailusers are completly seperated from local users, disadvantage if you add a user in DSM she/he is not automatically available as virtual user for mail.

cheers

tobi

 

[nervik2]

Hi, thank you for your answer. Do you know if I can encrypt messages with certificate as in Outlook by some plugin? I am asking because home folder where are maildirs cannot be encrypted.

 

[jahlives]

You would have to search for something like a PGP-Plugin for RC. Not sure if something like that exists. The problem with encrypted mail content is that every client who wants to read the message must support it. I just checked the webpage of the RC project and saw that PGP and S/MIME enryption support is planed but not yet available http://trac.roundcube.net/milestone/later

 

[nervik2]

If I cannot use password plugin how could I solve this situation. MailStation is on secure port 443, I want also DSM on secured port, but 5001 is closed in our proxy. Is it possible to put both services on one port, mailstation is no address https://server_ip/mail and DSM is on https://server_ip/webman. Cannot be port 443 set only fort https://server_ip/ (maybe this think is dumb)