Set/control password lifetime and expiration?

[dmitrydonskih]

Hello. ISO/IEC 27001 and PCI DSS, as well as other security standards, have a requirement to periodically change users' passwords.
Does anybody have any thoughts how to implement this in ViMbAdmin?

As far as I can see it, the problem is divided into four parts:

1. When (user|admin) sets a password to a mailbox, store current (or expiration?) timestamp in the database;
2. Take this timestamp into account when an external system requests mailbox properties;
3. Take (or not, depending on company needs) this timestamp into account when user logs in to change his password;
4. Periodically check and notify users that their passwords will expire soon.

As 1.-3. can be added as a plugin fairly easily, they require schema modification (OR using field mailbox.modified - is it possible??)
2. requires modified requests to the database (mention it in documentation)
And 4. requires some kind of cron job and a template for mailing notifications.

What do you say?

[dereckson]

(just a small note a profile control panel linked to a SSO or at least a LDAP is probably more convenient to centrally control the password lifecycle than to hunt it in every application / that would be a nightmare to audit and certify if each application used in a domain has its own procedure to force users to change passwords)

[dmitrydonskih]

(just a small note a profile control panel linked to a SSO or at least a LDAP is probably more convenient to centrally control the password lifecycle than to hunt it in every application

Yes, but ViMmAdmin is that very application which keeps and manages passwords, and it IS by design a source of credentials for SMTP/IMAP server - so this functionality is a must for it.