Skip to main content

Warning when changing email passwords.

Comments

5 comments

  • cPanelMichael
    Hello Sergio, Thank you for taking the time to report the behavior you noticed upon changing the email account's password. It's true that users logged in via IMAP are not automatically disconnected upon the password change. We are tracking this report as part of internal case CPANEL-18265. While it looks like this will require new functionality, the case status is still open. I'll monitor the status of this case and update this thread with more information as it becomes available. Thank you.
    0
  • Secmas
    Thank you, cPanelMichael. I knew that you will be answering my thread, the answer that I received when I reported this flaw was not the one that I expected as for me or any user of cpanel if an account is compromised and we thought that changing the password will be the solution for hackers for not to use that account anymore is not true. Right now as server administrators we will have to change the password and then restart IMAP connections in order for the change to be applied. Imagine the end users, they will never get a chance to restart IMAP and the change of password will not work as the user expected. Once again, thanks. hope we can have a fix for this very soon. Sergio
    0
  • cPanelMichael
    Hi Sergio, Your concern is absolutely understandable. I've linked this forums thread to the internal case to note your feedback. While I can't offer a specific time frame on a resolution to this case at this time, I would like to note a couple of potential workarounds for you to consider in the meantime. 1. In "WHM >> Mail Server Configuration", you could reduce the "Time to Cache Successful Logins" and/or the "Size of Authentication Cache" values. Here's a useful Dovecot document that explains how this works on the backend:
    0
  • cPanelMichael
    Hello Sergio, I wanted to let you know that we're planning to introduce a change in cPanel version 72 (case CPANEL-18889) to address the issue you reported. As part of the change, existing dovecot and webmaild sessions are automatically logged out when a cPanel user changes the password of the corresponding email account. Note that the current behavior will still apply when an email account user changes their own password. Thank you.
    0
  • cPanelMichael
    Hello, To update, the change is now published in cPanel version 70.0.24 as well: Fixed case CPANEL-18889: Logout email users when the password is changed by the cPanel user. Thank you.
    0

Please sign in to leave a comment.