Author Topic: password: old password valid after password change  (Read 5210 times)

Offline aquadraht

  • Newbie
  • *
  • Posts: 4
password: old password valid after password change
« on: August 28, 2012, 08:20:53 AM »
Hi,

I'm playing around with the password plugin. I have a setup with dovecot, postfixadmin, roundcube 0.8.1 and the password plugin.
In the password config I changed the following settings:

I have to databases, one is for postfix used by dovecot and postfixadmin, containing the email addresses and passwords and a second one for roundcube. So authentication is made against the postfix database:

< $rcmail_config['password_minimum_length'] = 8;
< $rcmail_config['password_require_nonalpha'] = true;
< $rcmail_config['password_db_dsn'] = 'mysql://user:dbpw123@localhost/postfix';
< $rcmail_config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';
< $rcmail_config['password_dovecotpw'] = '/usr/sbin/dovecotpw';
< $rcmail_config['password_dovecotpw_method'] = 'MD5';
< $rcmail_config['password_hash_algorithm'] = 'sha512';

In Roundcube the PW change works well, but I found out that the user then is still able to login at roundcube with the old password! After the user uses the new password for the first time, the old password is not valid anymore.
Anyone knows how I can fix this behaviour?

Thanx,

Offline zawmoo

  • Newbie
  • *
  • Posts: 1
Re: password: old password valid after password change
« Reply #1 on: September 27, 2012, 12:18:05 AM »
Hello,

I know this post is a little old. Just saw this post browsing around the forum. Anyway, I'm not a programmer, but an admin. I just went through this last week.

Since you are running Dovecot, in your dovecot.conf file (may be /etc/dovecot.conf or /usr/local/etc/dovecot/dovecot.conf) file, there is a setting for the Dovecot server to cache the authentication.

It is auth_cache_size which cache the passwords. The setting is a number (in bytes) of cache available for login information. A lot of admins set this for performance reason. You can read more about it here. http://wiki2.dovecot.org/Authentication/Caching. If you set this to "0" (zero), Dovecot will disable authentication caching. And your password change in Roundcube will be effective immediately.

If you don't want to do this, just wait till your login cache is cleared by newly cached logins. Or just reload Dovecot. It should clear the cache.

Hope this helps.

Offline aquadraht

  • Newbie
  • *
  • Posts: 4
Re: password: old password valid after password change
« Reply #2 on: September 27, 2012, 03:20:05 AM »
Hi,

thanks for your answer. I don't use auth caching in Dovecot, but I also have imapproxy installed, which also stores login information. That one is the cause for password caching...

Best regards,