Ability to turn off password change in webmail login interface

[sawbuck]

Unless I've missed it (which is very possible) there doesn't seem to be a way to turn off the password change option in the webmail interface.

Does appear possible to turn off everything else - forwarding / auto responders / email route / filtering using the Feature Manager.

[monarobase]

We've also had this request from some of our customers…

[cPanelDavidG]

You can turn off the password change option in the webmail interface by means of disabling the password change option for that cPanel user. This is because webmail features are inherited from that cPanel user.

What is the ultimate reason for disabling password changes though? The cPanel user can view the email of all of the email accounts under them if they login to the mail server via IMAP using their cPanel username and cPanel password, regardless of what webmail users change their password to.

[dwykofka]

I think the idea is that you want to disable changing passwords for the email users but not the cpanel user.

Example: Acme Real Estate has 50 agents and 1 IT guy That has to manage the accounts which includes things like spam and storage on the server. When Jill reaches a large amount of storage he needs to log in and see what is going on in that account. But Wait Jill changed her password.. AGAIN! so now he has to track her down and get her to send him the password via an insecure source or get her on the dreaded phone and listen to stories about her kids before she will finally tell him that she changed her password to AcmeRealEstate. Damnit Jill that is not a very secure password.

[cPanelDavidG]

Example: Acme Real Estate has 50 agents and 1 IT guy That has to manage the accounts which includes things like spam and storage on the server. When Jill reaches a large amount of storage he needs to log in and see what is going on in that account. But Wait Jill changed her password.. AGAIN! so now he has to track her down and get her to send him the password via an insecure source or get her on the dreaded phone and listen to stories about her kids before she will finally tell him that she changed her password to AcmeRealEstate. Damnit Jill that is not a very secure password.

Or the IT Guy, having cPanel access, logs into the IMAP mail server using the cPanel username and cPanel password, clicks over to the folder representing Jill's account and observes what is going on despite not knowing Jill's password.

I'm still attempting to understand the real-world usefulness of removing the ability for someone to change their own password.

[dwykofka]

In corporate environments it is typical for the IT department to control passwords and prevent end users from changing them on their own in order to streamline IT productivity. I think that's where this request comes from. The other issue is that the IT guy might have to work on Jill's email client or Smartphone.

I think this is something that some people might expect but I would think a low priority. However when the new password module rolls out this might become more important.

[sawbuck]

Or the IT Guy, having cPanel access, logs into the IMAP mail server using the cPanel username and cPanel password, clicks over to the folder representing Jill's account and observes what is going on despite not knowing Jill's password.

Or a small business has no IT department and multiple users on one email account (for instance staff@) and one of those users changes the password. Then either the host has to get involved or someone from the business has to spend their time tracking down who changed it and what they changed it to.

Or in a long shot scenario, a remote webmail user doesn't log out of a session allowing someone unrelated to the account to change the password.

dwykofka makes a good point about separating the cPanel password change from email users.

[monarobase]

Same here, multiple users of a single account. You don't want one of them from changing the password and thus preventing others from accessing this account.

[phamilton27]

Perfect thread for what I am trying to accomplish, however I am not able to complete my objective. There are some real world situations where having the ability to disable password change for webmail only would be useful.

I have an email "system" built into a CRM on my website where users can setup an email address at username@mydomain.com with the click of a link. I use api2 query to create email account. I use php imap to get the mail and bring into a page on my website, so they can view mail when logged in. Everything works fine. I then have a webmail login page built into my website where user can access webmail (for full email functionality) directly from my website after logging into my site. Currently, the webmail login page requires them to enter their cPanel webmail password to enter the webmail (cPanel) application. I would like to have the webmail password synced with the user's password to my website, so when they are logged in and click on a webmail link they can be automatically routed to webmail without having to re-enter their password. I have accomplished this most of the way by using their existing password for my site upon api2 webmail account creation, and have setup another api2 query to change their webmail password when they change their password for my site. The only snag I would run into is if the user changed thier password on the "Change Password" link in webmail.

To clear it up, I would like to have one Password for my website and cPanel webmail login and only allow a change through my website. The only other option would be to somehow trigger a change to the password for my website upon changing Password for webmail. This would work just the same for my needs. Can I add "call a php function" from my http server upon 'Password Change' for webmail which I would design to update the Password for my website?

Is either of the following options possible?

Option 1: Disable webmail "Change Password"?

Option 2: Call a php function to update Password for my website upon webmail "Change Password"?

Thank you for any feedback.

[cPanelDavidG]

Option 1: Disable webmail "Change Password"?

This is currently only possible by turning off the "Change Password" icon for that cPanel user - hence this feature request.

Option 2: Call a php function to update Password for my website upon webmail "Change Password"?

Yes, you would hook into the API1 function for Email passwdpop (which would be done via a shell script, such as a PHP shell script). Details for doing that are available on cPanel & WHM's SDK and if you need help with this, I strongly advise starting a new thread over in the Developers section: cPanel Developers

[cPanelTristan]

Hello,

You could modify the theme to remove the ability or the icon. That would require cloning the theme in WHM > Themes > cPanel Themes area and then making revisions. I'm just pointing this out as it is possible to do with some work. The main files that handle this in x3 theme are /usr/local/cpanel/base/webmail/x3/index.html and /usr/local/cpanel/base/webmail/x3/js2/mail/pops.js ones.

To just remove the icon itself, you can edit /usr/local/cpanel/base/webmail/newtheme/index.html for these lines:

Code:

<cpanelfeature popaccts>
    <td >
                <div valign="top" align="center">
                        <a href="mail/passwdpop.html?redirectdomain=&email=<cpanel sprint="$authuser,@,0">&domain=<cpanel print="$CPDATA{'DNS'}">"><img src="<cpanel Branding="image(password)">" border="0" /></a><br><a href="mail/passwdpop.html?redirectdomain=&email=<cpanel sprint="$authuser,@,0">&domain=<cpanel print="$CPDATA{'DNS'}">"><cpanel langprint="ChangePassWebmail"></a>
                </div>
        </td>
</cpanelfeature>

Here the path newtheme is using the new theme you've cloned to revise. The default x3 theme should not be directly modified. After saving that file with the removed lines, the icon will no longer appear there. If they have a direct link to the page, they can still make modifications, so you'd want to then also revise the /usr/local/cpanel/base/webmail/newtheme/js2/mail/pops.js file to remove the functions to change the password there. Quite a few functions are in that file and it would need too many changes to post them here.

Hopefully, the above will be enough to help those until this feature request has been considered and possibly implemented in the future.

Thanks!