add account config option to prevent the account for setting their own custom password, and enable by default for new accounts

accounts with this option enabled can only generate get a new randomly generated password. this prevents password reuse across services and weak passwords. existing accounts keep their current ability to set custom passwords. only admins can change this setting for an account. related to issue #286 by skyguy
2025-07-10 09:54:40 +03:00 · 2025-02-15 12:44:18 +01:00
parent 09975a3100
commit 3e53abc4db
16 changed files with 266 additions and 120 deletions
--- a/config/doc.go
+++ b/config/doc.go
@ -1260,6 +1260,12 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			# responses and want instant replies. (optional)
 			NoFirstTimeSenderDelay: false

+			# If set, this account cannot set a password of their own choice, but can only set
+			# a new randomly generated password, preventing password reuse across services and
+			# use of weak passwords. Custom account passwords can be set by the admin.
+			# (optional)
+			NoCustomPassword: false
+
 			# Routes for delivering outgoing messages through the queue. Each delivery attempt
 			# evaluates these account routes, domain routes and finally global routes. The
 			# transport of the first matching route is used in the delivery attempt. If no