I think that most domain administrators will be annoyed by a so long minimum allowed length for passwords, because they want to enter a 1 char pwd when they are testing their installation. In addition, weak pwd like 123456789123 are still possible. It's better to enforce qmailadmin, which is under end users control, in my opinion.
I'm patching vpopmail to let the admin set the minimum length at configure time as follows. I hope it can be of interest :)
diff -ruN vpopmail-original/configure.in vpopmail/configure.in
--- vpopmail-original/configure.in 2022-04-04 12:54:54.633524194 +0200
+++ vpopmail/configure.in 2022-04-04 18:05:56.425408645 +0200
@@ -1703,6 +1703,38 @@
#----------------------------------------------------------------------
+# Enable min password length
+AC_MSG_CHECKING(whether min pwd length has been defined)
+AC_ARG_ENABLE(min-pwd-length,
+ [ --enable-min-pwd-length=NUMBER Minimum password length (default 12).],
+ min_pwd_length=$enableval,
+ min_pwd_length=12
+)
+
+ if test $min_pwd_length = "yes"
+ then
+ AC_MSG_RESULT(yes)
+ minpwdlength=12
+ else
+ if test $min_pwd_length = "no"
+ then
+ AC_MSG_RESULT(no)
+ minpwdlength=1
+ else
+ if ! test $min_pwd_length = ""
+ then
+ AC_MSG_RESULT(yes)
+ minpwdlength=$enableval
+ else
+ AC_MSG_ERROR([Unable to set minimum password length. Please specify --enable-min-pwd-length=NUMBER.])
+ fi
+ fi
+ fi
+
+AC_DEFINE_UNQUOTED(MIN_PW_CLEAR_PASSWD,$minpwdlength,Minimum password length)
+
+#----------------------------------------------------------------------
+
AC_MSG_CHECKING(whether any discontinued --enable commands have been used)
AC_ARG_ENABLE(mysql-logging, [],
@@ -2096,6 +2128,19 @@
;;
esac
+
+case $min_pwd_length in
+ yes*)
+ echo " Min. pwd length = 12 (default) --enable-min-pwd-length=NUMBER"
+ ;;
+ no*)
+ echo " Min. pwd length = 1 --disable-min-pwd-length"
+ ;;
+ *)
+ echo " Min. pwd length = $minpwdlength --enable-min-pwd-length=NUMBER"
+ ;;
+esac
+
if test "$USE_SQL" = 1
then
diff -ruN vpopmail-original/vpopmail.c vpopmail/vpopmail.c
--- vpopmail-original/vpopmail.c 2022-04-04 12:54:54.642524164 +0200
+++ vpopmail/vpopmail.c 2022-04-04 18:07:01.778189168 +0200
@@ -2867,6 +2867,8 @@
/* Convert error flag to text */
char *verror(int va_err) {
+ char *buf = malloc(MAX_BUFF);
+
switch (va_err) {
case VA_SUCCESS:
return ("Success");
@@ -2965,7 +2967,8 @@
case VA_CANNOT_DELETE_CATCHALL:
return ("can't delete catchall account");
case VA_PASSWD_TOO_SHORT:
- return ("password too short (min=12)");
+ snprintf(buf, MAX_BUFF, "%s%d%s", "password too short (min=", MIN_PW_CLEAR_PASSWD, ")");
+ return (buf);
default:
return ("Unknown error");
}
diff -ruN vpopmail-original/vpopmail.h vpopmail/vpopmail.h
--- vpopmail-original/vpopmail.h 2022-04-04 12:54:54.642524164 +0200
+++ vpopmail/vpopmail.h 2022-04-04 18:16:26.713290652 +0200
@@ -44,10 +44,10 @@
#define MAX_PW_GECOS 64
#if defined(MD5_PASSWORDS) || defined(SHA512_PASSWORDS)
#define MAX_PW_CLEAR_PASSWD 128
-#define MIN_PW_CLEAR_PASSWD 12
+/* #define MIN_PW_CLEAR_PASSWD 12 */
#else
#define MAX_PW_CLEAR_PASSWD 8
-#define MIN_PW_CLEAR_PASSWD 8
+/* #define MIN_PW_CLEAR_PASSWD 8 */
#endif
#define MAX_PW_DIR 160
#define MAX_PW_QUOTA 20`