Yalo
    e-mail
    internet accelerators
    internet access
    internet and phone call
    web hosting
    storage space
    url redirection
    internet call waiting
    free sms
    nota bene
 
 

Function for password verification and it's integration into PostfixAdmin

Users tend to choose very trivial passwords and this opens a possibility for spammers to easily guess passwords and to relay spam through your server. Postfixadmin does not impose any password verification mechanism besides verifying it's lenth and this only for users, not for administrators (probably assuming that administrators will not choose short passwords). But Postfixadmin offers the possibility to delegate maintenance for some domains to certain users (clients) and those users not necesserily understand the risks of setting bad passwords or maybe are too lazy to choose good ones. One frequent example of a (very) bad password is, for example, for address sales@company.com the password is sales.

The proposed function verifies passwords against some rules For example, if address computer.programs@software-company.info is given then following passwords will not be allowed:

computer
programs
computer.programs
software-company.info
software-company
software
company
computer.programs@software-company.info
info

Passwords composed of the same charater, e.g. zzzzz or 000000, passwords like 123456 or qwerty will be prohibited also. There are some other verifications as well. Many of them are commented, uncomment them to have effect. Incorporate this function in the function include file function.inc.php
Function text. Code is explained for example address first.user@example-domain.com

After that modify create-mailbox.php, edit-mailbox.php, user/password.php and languages/en.lang files as described later. Locations in files to insert the code are given for Postfix Admin 2.3.2.

In the create-mailbox.php file, on line 134, find the code if ($CONF['quota'] == "YES") and insert before it following code


 $min_length = $CONF['min_password_length'];

    if($fPassword == $fPassword2) {
         if ($fPassword != "") {

            if($min_length > 0 && strlen($fPassword) < $min_length) {
               flash_error(sprintf($PALANG['pPasswordTooShort'], $CONF['min_password_length']));
               $error = 1;
             $tUsername = escape_string ($_POST['fUsername']);
             $tName = $fName;
             $tDomain = $fDomain;
             $tQuota = $fQuota;
            }
            elseif (!verify_password("$fUsername@$fDomain", $fPassword))
            {
             $error = 1;
             flash_error(sprintf($PALANG['pPasswordTooSimple']));
             $tUsername = escape_string ($_POST['fUsername']);
             $tName = $fName;
             $tDomain = $fDomain;
             $tQuota = $fQuota;
            }
         }
     }

Here we copied also the password length verification fragment from the edit-mailbox.php file because create-mailbox.php file does not contain such verification.

In the edit-mailbox.php file, on line 110, find the code $formvars['password'] = pacrypt($fPassword); and insert before it the following code


elseif (!verify_password($fUsername, $fPassword)) {
  flash_error(sprintf($PALANG['pPasswordTooSimple']));
  $error = 1;
};

In the users/password.php file, on line 61, find the code if ($error == 0) and insert before it the following code


if (!verify_password($username, $fPassword))
    {
        $error += 1;
        flash_error(sprintf($PALANG['pPasswordTooSimple']));
    }

In the languages/en.lang file after $PALANG['pPasswordTooShort'] variable definition, on line 389, insert following definition

$PALANG['pPasswordTooSimple'] = "Password is too simple! Try another password";

Alternatively, you cand DOWNLOAD all four modified files.

That's it!

P.S. don't forget to set the minimum password length, $CONF['min_password_length'], in the config.in.php file