<password> in e-mail notifications

[nevakee]

Hi,

Since updating to version 11.5, the correct password is not displayed in the notification e-mail (Customer account creation).
It's visible only <password> and not the correct password!

Has changed the variable since the update to version 11.5?

Parallels Plesk Panel v11.5.30_build115130819.13 os_Debian 6.0 (MU #17)
"Enhanced security mode" is off.

best regards

 

[nevakee]

Has nobody any idea?

 

[heicom]

Hey,

im encountering the same problem since 11.5.
I was looking at the manual of plesk, but i cannot recognize a change in that variable. Do you or anybody else has a solution for that problem in the meantime?

Here is the link to the manual of plesk i found:
http://download1.parallels.com/Plesk/PP11/11.5/Doc/en-US/online/plesk-administrator-guide/59422.htm#

Greetings
Marcus

 

[nevakee]

Good timing. Support ticket is open.
The technical support trying to solve the problem at the moment on my server.

In a few hours I can hopefully say a solution.

 

[nevakee]

..........

Hello,

Please note that this is a default feature of Plesk Panel to provide more security for the server. The password could not be sent via mail because it is stored in the encrypted form. That's why the password is not included in the email that is generated by the system.

Any plain password will not be sent via Notification Mail.

You will get option to send link to customer's registered email address to reset the password.

Here are below steps which I have taken in our test environment.

1.Set the notification settings on the server to receive notification mail for 'Customer account creation'.

++++++++
A new customer account has been created.
Customer's contact name: <client_contact_name>
Customer's login: <client_login>
>>To obtain your password, please proceed to https://<hostname>:8443/get_password.php?email=<client_email>&login_name=<client_login>
Panel entry point: https://<hostname>:8443
+++++++

2.Create customer named "Tesrparallels"successfully via Plesk Panel.

3.Once the customer created I have received the below mail to the mail account which I have specified in "Tools & Settings > Notification"

++++
A new customer account has been created.
Customer's contact name: TestParallels
Customer's login: TestPara
To obtain your password, please proceed to
>>https://******:8443/get_password.php?email=parallelsmailtesting******&login_name=TestPara
Panel entry point: https://*****:8443
+++++

4.Once I accessed to the obtain password URL link in notification mail (pressing send), the password reset link will be send to the mail account
which I have specified while creating the customer.

Please understand that the password will not be send directly at any instances because of the security purpose.

+++++++++++
Dear (r) test Parallels

Your password can not be shipped because it is stored in encrypted form.

To set a new password, please follow this link:
>>https://******:8443/ch_pass_by_secret.php?secret=7cb05c19da17c35fe8d5b6b64d1ec297
+++++++++++

 

[heicom]

Hello navakee,

thank you very much for that detailed information, and your answer. This will help me to bypass the problem I (we) actually have.

Greetings
heicom

edit:
Okay, I tried it.... Im not very happy with this solution which is Parallels offering you. This is very inconvenient for a new customer who has to obtain a password via a link and thereafter again via creating a new one....
How do you see this navakee?

 

[Scy]

Hi,

This is a very bad implementation from Parallels. Simply out of the blue leaving the <password> parametre away from Notifications template "Customer account creation" is not very convenient, considering that the implementation of the "Set password" feature is very poorly implemented.

First of all the choice of sending or not the passwords directly via e-mail (when sending welcome messages to new customers) should be left to Plesk admin. This <password> template variable has been existing on the Notifications template as long as I remember using Plesk (which is somewhere from Plesk 8.0). And now Parallels simply leaves this out and forces all Plesk admins to change welcome e-mails to have only links to Plesk's "request forgotten password" feature, that is very unconvenient and confusing to most of the new customers (requiring several mails to be ordered to get password set).

Also as Plesk has never had an opportunity to send seperate ftp password to users, we have had a policy that we set the plesk account & ftp account + plesk password & ftp password to same and inform about this for our new customers. Then they have been ready to log into FTP server as well.

Now this new method is just insane: We need to...
1) Create a new login and password for both Plesk and FTP password
2) Then Plesk refuses to send these passwords to customer, but instead immediately insist them to go to confusing Forgotten password page, where they need to order a separate mail where they have a link to to page, where they can enter a login and then define a new password, twice. Complicated, huh?
3) After that customer is confused, because he/she cannot know what is the FTP password for his account (as it cannot be the same with the plesk login password, as the customer has just forced to change plesk login password to something else that admin had just set just minutes before...). So customer calls us, as it's very complicated him/her to understand that it's required to login into the panel and change the FTP password as well.

Most of our new customers are just confused and cannot understand what their password is. They keep calling to our customer service requesting that we set them a password for Plesk account and FTP account. This just multiplyes our workload in customer service.

Also what is the logic to even request a passwords from Plesk when creating a new customer/subscription, as this password cannot be delivered to any method to customer, but instead needs to be changed immediately. At this method we, Plesk admins cannot know the passwords for newly created customer, and when they have a problem for example logging into the FTP server, we cannot test the FTP connection withouth again changing the password to something else, which after we need to deliver the new password manually to customer via e-mail, making the purpose of this "fancy security feature" simply useless.

I have requested from Plesk support to provide a hotfix for this issue. The <password> parametre should work just as before and the choise of TO SEND OR NOT TO SEND password directly via e-mail should be left to Plesk admin. I hope Parallels could see this is an real issue needs fixing!

 

[Scy]

And I also would like to describe how the password sending should be implemented properly:

1) Notifications template "Customer account creation" should have lines to be replaced just like before:

Customer's login: <client_login>
Customer's password: <password>

2) But in addition Notifications template "Site creation" should also output a FTP login and password, which has never been implemented to Plesk:

Subscriptions's FTP login: <ftp_login>
Subscriptions's FTP password: <ftp_password>

This would solve a lot of problems, because if you create another subscription (a second web hosting package) for an existing customer, there is only this "Site creation" message that goes to customer. The receiver absolutely not cannot know what is his FTP login and password for the second web hosting package. (We have solved this so that we are creating the ftp accounts with logick "login2", "login3" etc with the same password and then this is informed in the "Site creation" template.

But allowing "Site creation" template to send also an FTP login an password of newly created subscription, would help a lot of Plesk management when creating multiple subscriptions for single customer. Please reply to this ticket and inform if you'd like this feature usefull to get Parallels attention.

Is there anybody else that can see this feature useful? IgorG, could you please consider posting an request feature about this (finally)? Someone...?