Hi Ian,

The password reset feature like hotmail or yahoo which you are looking for are not available with Plesk and Mailenable. If your user wants to change his current password then you can ask your user to login via https://ip:8443 they can use their email account and password to login to the email control panel only. They would only have access to their email account settings and nothing on the domain level.

But if the user has completely forgotten the password then in this case the domain administrator will have to reset the password. There is not any other alternative for this at the moment.

Hi James

Thanks for your reply.

Not just Hotmail or Yahoo, the same as *any* application, website or system that I worked on in the last 30+ years. And there is sound reasoning behind it.

If I, as admin, set an easy password, then the system is insecure. If I set a difficult one, then the chances are that the user is going to write it down, and that is almost as insecure. And if they lose the piece of paper? They are locked out of the system (in our case, unable to work) until it can be reset for them. If, in our case, I'm on holiday.....?

The user has to be allowed to set a secure password that is memorable to *them*. Systems are for the users, not the systems. Users are not supposed to jump through the hoops and restrictions imposed by systems and admins.

They are according to the Help pages.

According to your support staff the facility has been specifically turned off. That, IMHO, is even more insecure than letting users choose their own password. Users now have easy passwords and anyone can get in with a simple dictionary attack.

I know, that's what Support told me. So what if someone breaks in and creates a mailing group and then uses it to spam from?

Also, in our case, my MD wants to monitor all incoming staff mail, so he can supervise things. He would also like a copy of outgoing mail, but that isn't possible with your systems. But it means that any user with access to Plesk can see what is going on. My MD pays for our system and he will do what he wants in there and it should not be possible for staff to view or change that.

It also means that anyone who broke in could see who our customers were, etc, etc. Our customers are given temporary access to parts of our website. They are mailed the user name and password by the sales staff. Anyone who broke into the agent's mail could read that. We also have temporary staff - camera crew, voiceover people, etc - and they need to have limited access to our internal systems. Again, someone getting into a mail account could cause untold damage - all because a standard and (probably) well-designed system has been disabled.

And reset it with something that is equally insecure?

Is the password change function turned off because it is inherently insecure? I haven't been able to find anything about any other hosting service suffering having any problems with it.

Cheers

Ian

Hello Ian,

let me understand this properly the functionality you are wanting for is to user to have the ability to reset the password via either the webmail interface or the plesk interface in case they forget the password IE they go in to the webmail link and then click on forgot password and then it should have a mechanism to reset the password ? or either they go to the plesk control panel and click on forgot password and key in a an answer and then have their password automatically reset without the intervention of a system admin ?


The Plesk Horde webmail feature to change passwords are disabled on recommendations from SWSOFT in our conversations with them about security. It does not have the mechanism like a yahoo or hotmail or exchange to challenge the password request. It does not ask you for a secret question while resetting the password. Only this feature is turned off. Please note this is your vps now and you have the option to enable it but at your own security risk.

Users would still be able to change their passwords if they logged in as James suggested in his reply. The login via plesk using their email credentials and they can reset their password.

If someone breaks in that would be the user who has a compromised password who creates mailing lists. Disable the mailing lists option from plesk for the domain if you are not going to use mailing lists.

The feature of monitoring the outbound SMTP as you require is not offered as a standard product in any mail server. You have a look at exchange one of the most expensive mailing solutions out there. They have recommended third party tools like GFI MailArchiver for what you are looking for in terms of mail monitoring.

Regards

No. For them to have the ability to change their mail password from their mail; *not* from the Plesk control panel. They should not even know that exists or that they can access it. They just need to change their password exactly as the Help system tells them to (I try and drum into my users that the Help is the *first* port of call, not the last ) and as they could do from their Smartermail, when we were using DNP.

[QUOTE]
in case they forget the password IE they go in to the webmail link and then click on forgot password and then it should have a mechanism to reset the password ? or either they go to the plesk control panel and click on forgot password and key in a an answer and then have their password automatically reset without the intervention of a system admin ?
[/QUOTE}

Yes, but they are going to have to use (a) something that they are not supposed know exists (b) is quite daunting to non-tech users. Good HCI expects users to be treated as simple forms of life who know nothing about anything. Having to log in to a control panel is like going to another planet for a lot of them.

Ok, it doesn't challenge, but that, IMHO, is a lot better than them having weak passwords so they can remember them, or having to write them down somewhere.

No one said anything about that. I was told that it was not possible. We will take that risk. They all have a link to a password challenger and have been told to test first. That's better than us giving them xzy999 or whatever.

Yes, and see and do quite a few other things, some of which management do not want them to see or do. It is also another level of complication for them. I'm told that one of the next steps planned for the company is for agents in Brazil. Plesk has Portuguese localization?

I didn't say that we were not going to use them, I said we don't want someone hacking in and creating mailing lists. We shouldn't have to disable a facility just because it can be compromised by something else.

The company had it as a standard feature with their previous hosts (before my time) and were less-than-impressed when they didn't get it here. But the other hosts were Linux-based only so I guess their mail server was more configurable.

Thanks for the tip, I'll check it out.

Did you want me to create a ticket for the change to enable password change and recovery as we understand the security risks?

Cheers

Ian

[QUOTE=IanJ0208;36487]No. For them to have the ability to change their mail password from their mail; *not* from the Plesk control panel. They should not even know that exists or that they can access it. They just need to change their password exactly as the Help system tells them to (I try and drum into my users that the Help is the *first* port of call, not the last ) and as they could do from their Smartermail, when we were using DNP.

Hello Ian,

Yes please generate a ticket and we will enable it for you at your own risk. Please also list your support requests for plesk localization setting in there.

Thanks

Hello Ian,

As your users were already used to smartermail we can have that installed on the server and integrated in plesk. You can request for this in the ticket you are going to place for the webmail request

Thanks