I am using Squirrelmail for my Qmail, with poppassd service to change password.
This works fine, except password change. It by default allows user to change password to their first / last name / domain name (my email id format is firstname.lastname@domain) Which is easily guessable. I was searching better plugin, but could not find any with complex password (ofcourse there should be better plugin).
Thus I modified this plugin to prevent user at the squirrelmail from entering easy passwords.
I prefer to prevent users at squirrelmail rather being dependent on qmail / poppassd.
I hope squirrelmail release better plugin which can prevents passwords which are based on dictionay, matches user id.
@budiwijaya
No.
Is there any modification like you did, but in change_ldap_pass ?
@Paul Lesniewski
Mail server is under DMZ, no one can telnet. For me only option was to prevent user’s entering weak passwords at frontend.
You used code from a very out of date code branch. If you use 1.5.x
code, use 1.5.2 (which at some point will have some of these kinds of
checks added to it).
The point you missed, however, is that if you run the
poppassd service and it is not verifying password integrity, your
users can simply telnet to it and give themselves a weak password.
That is, your system is poorly configured and this is a security
weakness. You should fix that and then SquirrelMail wouldn’t need to
be touched.