Extras_client configuration_Rainloop - SomethingWithHorizons/mailserver GitHub Wiki

Password customization plugin

Create a new database user

A mailserver database administrative user is required for the plugin to use (regular mail handling is done via the IMAP/Dovecot connection that uses the local mailadmin that runs locally on the mailserver itself, but in this case the Rainloop plugin needs direct administrative access to the mailserver database in order to be able to change passwords itself):

1. Start the MySQL interpretive shell (on the mailserver system):

   mysql
   

2. Create the user and authorize user for database access:

   CREATE USER 'rainloopadmin'@'<IP.OF.RAINLOOP.SYSTEM>';
   GRANT ALL ON `mailserver`.* TO 'rainloopadmin'@'<IP.OF.RAINLOOP.SYSTEM>';
   
   SET PASSWORD FOR 'rainloopadmin'@'<IP.OF.RAINLOOP.SYSTEM>' = PASSWORD('<RAINLOOPADMIN-MYSQL-PASSWORD>');
   

   <IP.OF.RAINLOOP.SYSTEM> should be replaced by the (static) IP-address of the system (computer, or container, etc.) that runs Rainloop.

   <RAINLOOPADMIN-MYSQL-PASSWORD> should be replaced by a stronk password of your choice and correspondingly be substituted throughout the whole guide as such where rainloopadmin is used to access the mailserver database (probably only here!).

   :warning: WARNING: The password may only contain alphanumeric characters and not exceed a length of 32 characters!

3. Exit MariaDB:

   quit
   

:information_source: ALTERNATIVE: Replace 'mailadmin'@'localhost' with a more convenient 'mailadmin'@'%' for all to use, where the % means: 'any host' (also those of possible hackers). This guide choose the strict approach for security reasons (only allowing an admin from local host and, now, another from Rainloop's specific ip-address).

Install the plugin:

1. Create a directory for the plugin files (on the webmail system):

   mkdir /var/www/rainloop/data/_data_/_default_/plugins/change-password-custom-sql
   

2. Change path into the directory:

   cd /var/www/rainloop/data/_data_/_default_/plugins/change-password-custom-sql
   

3. Download the files into the directory:

   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/ChangePasswordCustomSqlDriver.php
   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/LICENSE
   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/README
   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/README.md
   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/VERSION
   wget https://raw.githubusercontent.com/RainLoop/rainloop-webmail/master/plugins/change-password-custom-sql/index.php
   

4. Change ownership of the folder and its contents to the user that runs Rainloop's webserver:

   chown -R www-data:www-data /var/www/rainloop/data/_data_/_default_/plugins/change-password-custom-sql
   

Configure Rainloop to use the plugin

1. Log into Rainloops admin panel https://rainloop.example.com/?admin#/plugins.

2. Navigate to the Plugins page (via the left menu column):

   1. Check the general ☑ Enable plugins option if not checked already.
   2. Check the specific change-password-custom-sql ☑.
   3. Click on the Plugin: change-password-custom-sql to be presented with its specific configurational options:

   1. Fill out the first five fields with:

      1. MySQL Host <mailserver-ip>
      2. MySQL User rainloopadmin
      3. MySQL Password <rainloopadmin MYSQL password>
      4. MySQL Database mailserver
      5. MySQK Table users

   2. Fill out the last field with the SQL statement:

      UPDATE :table SET password = CONCAT('{SHA512-CRYPT}', ENCRYPT(':newpass', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))) WHERE domain = ':domain' AND username = ':username'
      

      CONCAT conjoins otherwise separated elements (concatonate).

      ENCRYPT() employs Linuxs crypt library (also used by dovecot).

      $6$ determines the format, as described in the Crypt_(C) Wiki.

      = SHA(RAND() ensures passwords are SHA hashed randomly.

      SUBSTRING(.., -16) ensures that only the last 16 characters from the hashes are used (according to Dovecot standard).