Considerations around the Forgot Password feature.
Posted: Thu Oct 11, 2018 3:50 pm
Hi all, here some considerations around the new Forgot Password feature.
Based on the docs (https://zdocs.github.io/curie/fp.html), the feature shoud be available for the domain "@mydomain.com" under these conditions:
-domain mydomain.com has zimbraFeatureResetPasswordStatus attribute = enabled
-domain mydomain.com has zimbraAuthMech = local
First of all shoud be specified a third condition:
-domain mydomain.com has a zimbraVirtualHostname, e.g. webmail.mydomain.com (...OR mydomain.com is the default domain)
Ok if you have a single server, single domain installation. But if you have two domains on the same server, one with reset password enabled, and another disabled you must have a way to discriminate them, and this is done via virtual hostname. It works, and well, but the docs don't mention it.
Then the bad thing, the zimbraAuthMech == local does not work, even in the docs is said:
"This forgot password link will be disabled if external authentication is used. If the recovery email is not set, the user will get an error message to contact the Administrator."
Using zimbraAuthMech = ldap for mydomain.com and pointing the authentication on another test machine with ldap on it, the feature has not been disabled.
When the user asks for a password recovery, the security code will be shipped to the safe email and the user could select if continue with session or change the password.
The first case (continue with session) is less dangerous and only in case of MITM, so let's ignore it.
In the second case (change password) obviously the pwd will not be changed on the remote ldap/AD, but will be changed LOCALLY. This is dangerous if the domain has zimbraAuthFallbackToLocal = true, because actually the same user can log in with two passwords, the old one, and the new set up password.
Test conducted on ZCS 8.8.9 and 8.8.10
Any thoughts?
Based on the docs (https://zdocs.github.io/curie/fp.html), the feature shoud be available for the domain "@mydomain.com" under these conditions:
-domain mydomain.com has zimbraFeatureResetPasswordStatus attribute = enabled
-domain mydomain.com has zimbraAuthMech = local
First of all shoud be specified a third condition:
-domain mydomain.com has a zimbraVirtualHostname, e.g. webmail.mydomain.com (...OR mydomain.com is the default domain)
Ok if you have a single server, single domain installation. But if you have two domains on the same server, one with reset password enabled, and another disabled you must have a way to discriminate them, and this is done via virtual hostname. It works, and well, but the docs don't mention it.
Then the bad thing, the zimbraAuthMech == local does not work, even in the docs is said:
"This forgot password link will be disabled if external authentication is used. If the recovery email is not set, the user will get an error message to contact the Administrator."
Using zimbraAuthMech = ldap for mydomain.com and pointing the authentication on another test machine with ldap on it, the feature has not been disabled.
When the user asks for a password recovery, the security code will be shipped to the safe email and the user could select if continue with session or change the password.
The first case (continue with session) is less dangerous and only in case of MITM, so let's ignore it.
In the second case (change password) obviously the pwd will not be changed on the remote ldap/AD, but will be changed LOCALLY. This is dangerous if the domain has zimbraAuthFallbackToLocal = true, because actually the same user can log in with two passwords, the old one, and the new set up password.
Test conducted on ZCS 8.8.9 and 8.8.10
Any thoughts?