One of my e-mail servers uses unix system accounts for user login.
Because I didn't set up any complex password policies (our users, including management staff, don't like complicated passwords), one of the accounts, that had a dictionary 6 letter pasword, was hacked and a few thousand spams were sent. So, naturally, our IP ended up in 3 RBLs.
After talking with the management, we decided that it was time to increase password complexity requirements. (minimum 8 characters, upper case, lower case, numbers, etc)
Now, here is the problem. How to make sure that all our users really change the password without having to check the logs, chage command output, etc?
The best solution I could think of, was to set a 10 day password expiration for all users and then send a mass email to everyone, telling them that if they don't change their password, after 10 days they won't be able to login.
So I started doing tests, to see if this was a viable solution and I encountered a problem that I should have foreseen:
Even though I set the password expiration to 10 days (chage -M 10 user), after changing the password, the expiration date remained the same, instead of returning to "never".
Is there some way of turning off password expiration after the user has changed it's password? (Users can change their password via the webmail interface, using a script based on chpasswd command).