SOLVED Warning when changing email passwords.

Hello Sergio,

Thank you for taking the time to report the behavior you noticed upon changing the email account's password. It's true that users logged in via IMAP are not automatically disconnected upon the password change. We are tracking this report as part of internal case CPANEL-18265. While it looks like this will require new functionality, the case status is still open. I'll monitor the status of this case and update this thread with more information as it becomes available.

Thank you.

 

Hi Sergio,

Your concern is absolutely understandable. I've linked this forums thread to the internal case to note your feedback. While I can't offer a specific time frame on a resolution to this case at this time, I would like to note a couple of potential workarounds for you to consider in the meantime.

1. In "WHM >> Mail Server Configuration", you could reduce the "Time to Cache Successful Logins" and/or the "Size of Authentication Cache" values. Here's a useful Dovecot document that explains how this works on the backend:

Authentication/Caching - Dovecot Wiki

The downside is that reducing these values will likely lead to a performance hit, which could be significant on systems with hundreds or thousands of active IMAP sessions at any given time.

2. You could setup a hook that runs after the UAPI::Email::passwd_pop event (this is the function that's called when changing an email account password via the cPanel UI) with a command like this:

Code:

/usr/local/cpanel/bin/manage_hooks add script /root/restart_imap --category=Cpanel --event=UAPI::Email::passwd_pop --stage=post

You'd then create and setup the "/root/restart_imap" file as a bash script that restarts IMAP and it would automatically run every time an email password is changed. The downside is that IMAP is restarted automatically upon each email password change, and thus could lead to abuse of the system should a malicious user decide to continuously change email passwords.

While neither of those workarounds are ideal solutions, it does provide you with a couple of alternatives while you await an update on the internal case. Let me know if you have any questions about either workaround. Additionally, I'll continue to monitor internal case CPANEL-18265 and update this thread as soon as new information is available.

Thank you.

 

Hello Sergio,

I wanted to let you know that we're planning to introduce a change in cPanel version 72 (case CPANEL-18889) to address the issue you reported. As part of the change, existing dovecot and webmaild sessions are automatically logged out when a cPanel user changes the password of the corresponding email account. Note that the current behavior will still apply when an email account user changes their own password.

Thank you.

 

Hello,

To update, the change is now published in cPanel version 70.0.24 as well:

Fixed case CPANEL-18889: Logout email users when the password is changed by the cPanel user.

Thank you.