On Tue, Jul 31, 2001 at 04:50:57PM -0500, Jay Kline wrote:
> I have been contemplating setting up a method to allow my email users to 
> change their password.  I have set my system up so they all use the same 
> account (popuser) but pop authentication is done with the 
> /var/qmail/users/poppasswd file instead.  I wrote a perl script to behaive 
> much the same way the standard passwd command does, and could easily write 
> other scripts that can manipulate this file.  The problem is, how do I handle 
> allowing users to change passwords securely?  I have thought of running a cgi 
> script via web, but something about doing a setuid root cgi script scares me 
> a little.  Since none of the users have shell access, they cant use ssh or 
> telnet (not even enabled on the server) to connect to the system.  A few 
> ideas I have been kicking around is using some sort of spooler, where 
> password change requests are put into a file, then into a directory- which 
> would be called by some program either via cron or a daemon and process the 
> requests.  That way any cgi script would be able to submit a request.  
> Another thought I had was via email- user sends email to something like 
> chpasswd at slushpupie.com with their username, old password, and new password 
> and all incoming mail to that account is handled via some program/script. 

I use the vpopmail+qmailadmin packages, they have all what you have now.
Virtual pop-accounts with only 1 system user, webbased interface for
managing domains (from the user side), ability to create popboxes, 
forwards, aliases, mailinglists etc..

You might want to look into it: http://www.inter7.com/

It's all premade and well tested so you'll not run into a lot of bugs.

just my .20 dkr!

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer>