Webmin Virtualmin Password Recovery

I installed this:

sudo apt-get install webmin-virtualmin-password-recovery

If I choose the “Email random temporary password” option I get this when I try to use the resulting link:

Password recovery failed : Invalid message ID!

A post from November of 2023 mentioned that this was fixed (Password recovery failed : Invalid message ID!).

One in May of 2023 offered a work around (Password recovery still fails - #3 by johnhe).

That May poster’s link has a GitHub link with a work around (Fix for password recovery failure due to invalid message ID and other issues · Issue #4 · virtualmin/virtualmin-password-recovery · GitHub). But that work around had no effect for me.

I do suffer from a bit of a stupidness problem though so I might have done it wrong, I added the line here:

my $emailto = $user ? $user->{‘recovery’} :
$dom ? $dom->{‘emailto’} :
$owner->{‘acl’}->{‘email’} ;
$emailto=~ s/\n+$//;
my $subject = $user ? $text{‘email_subject3’} :

Should that have worked.

Should this be a problem still or might something I have done to my install done it?

Thanks.

I do not have this problem now.

What is your version of webmin-virtualmin-password-recovery?

Mine is 1.12, as reported below by
apt search webmin-virtualmin-password-recovery

I am using Debian OS, so should be using the same repository as for Ubuntu OS.

apt search webmin-virtualmin-password-recovery
Sorting... Done
Full Text Search... Done
webmin-virtualmin-password-recovery/virtualmin,virtualmin,now 1.12 all [installed]
  Webmin module Virtualmin Password Recovery

All Debian derived distros (including Ubuntu) should be using the same repository because the module is architectrure independent.

If you are using version 1.12 of webmin-virtualmin-password-recovery then this suggests there is something missing with your Perl distribution.

You can get more information by going to Webmin, Webmin Actions Log, Search, clicking on link using module Virtualmin Password Recovery.

Thsis is a long shot. If you run the locale command does it report an error at the top or not?

I did a fresh Ubuntu/Virtualmin install just now and this does not work for me ‘out of the box’. My Ubuntu iso is 24.04.1 but I did “full-upgrade” before anything. (I did not add line from the forum post before in this example.)

I would be happy to admit that I’d done something wrong (and learn what that is) but I barely had time:

1  sudo apt update
2  sudo apt full-upgrade
3  sudo sh -c "$(curl -fsSL https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh)" -- --bundle LAMP
4  sudo apt-get install webmin-virtualmin-password-recovery

 Followed with GUI adding a domain, adding a user, setting its recovery address, and trying the button on :20000

Screenshot 2025-04-07 at 2.21.42 PM347×415 52.1 KB

Screenshot 2025-04-07 at 2.33.38 PM324×194 5.36 KB

Screenshot 2025-04-07 at 2.58.00 PM246×269 20.9 KB

@Ron_E_James_D.O I can’t recommend using the Virtualmin Password Recovery plugin! It should have never been handled as a plugin feature in the first place.

@Jamie and I have been discussing adding native password recovery directly into Webmin. Hopefully, this will be possible with the next Webmin release.

You will save yourself a lot of pain and time by using a rented VPS instead of installing onto a home server or desktop. No iso needed and their OS choices are battle tested. Hetzner is one of the few that time VPS use by the minute instead of the month. Using a mounted iso to install a server takes a ton of experience to get right and they are custom prepared for automated installs.

If I was using a home setup:

1. I would NEVER use an OS that has been installed with a mounted iso to then later DIRECTLY install Virtualmin onto.
2. Instead I would use something like ‘Virtual Machine Manager’ and install Ubuntu server (not Ubuntu desktop) from some approved provided link. For one, you don’t have to wonder what server option choices to make during install. It has already been decided by your choice of virtual OS.
3. I would NEVER run a full upgrade, such as sudo apt full-upgrade for server use on any type of install, virtual or not. That is just asking for broken packages and a world of pain.
4. While running apt update and apt install is probably harmless, it is frowned upon by Virtualmin before they have had a go at some pre preperation first during setup of Virtualmin
5. I would go through the full post setup of Virtualmin and if everything looks OK I would then run sudo apt install webmin-virtualmin-password-recovery

As per @Ilia above, the sooner password recovery is integrated more fully into Virtualmin the better. This would provide safeguards against unexpected conditions.

I mentioned locale because sometimes software fails in a bizarre manner if it cannot identify a specific locale variable. Your locale is set up properly.

If your intention is to use Virtualmin on a LAN then ‘Virtual Machine Manager’ is not a good choice beacuse of the difficuly of seeting up external network access with it. VMware used to be a popular choice for this. Windows has a built in virtual machine manager.

Added for completeness: It is safe and advised to run apt update periodically before a series of apt install commands. Sometimes it is essential before installing software from a new repository.

Once Virtualmin is installed it is safe to install other software, such as Docker. I find Virtualmin is handy to reverse proxy to Docker apps with through Nginx (requires -b LEMP for Virtualmin install). There are plans for Virtualmin to automate use of Docker with.

Is it your guess then that if I had not done the upgrade of my Ubuntu it would have worked, or if I would have selected an older .iso that it would be more likely to be in line with whatever quirks the plugin predates?

If so, do you have a best guess as to what version that would be (for example, what are you using), I imagine an .iso for that is on a public archive somewhere.

No. You said you did a full upgrade. It is not necessary, creates more problems than it solves and wastes time. The more recent the iso the better.

As for the real cause of the problem, it is probably a very simple error in the mail pipeline with poor error reporting. Have you verifed an affected user can receive mail?

What does journalct -ef say? As well as the Webmin Actions log, there is also an error log at /var/webmin/miniserv.error

I wouldn’t use a generic iso at all for a server install from a packaging vendor, such as Ubuntu or Debian, unless absolutely necessary. The days of installing genric servers from such distros are next to over. Their focus is on packaging, not on stripped down high performance servers.

If I was going to use a server iso on bare metal I would install somthing like Proxmox from Downloads - Proxmox Virtual Environment and then choose a recommended iso that does the job.

There are other choices, outlined above.

Suggested approach in order of complexity

1. Rent a VPS and install favoutite VM or
2. Install VirtrualBox onto Linux or Windows. Import a VM (avoids an iso install) or
3. Install Proxmox with iso directly onto bare metal. Import a VM (avoids an iso install)

Once VM installed:

1. Install Virtualmin and nothing else. Do not even do an apt update or apt upgrade.
2. Complete a post install setup of virtualmin
3. Add in a working domain and ensure email is working
4. Install webmin-virtualmin-password-recovery

I can’t say that email is working properly since this is a test setup with no MX records (or I suppose it does have MX records since out-of-the-box virtualmin would have done that, but no external NS records refer the world to this server for anything’s DNS), but I can get the reset link at an external email address or if I set the local email address as the recovery address it turns up in their /home/testmaildomain/homes/testlogin/Maildir/new folder.

This is my /var/webmin/miniserv.error

[07/Apr/2025:18:21:58 +0000] Reloading configuration
Use of uninitialized value in numeric lt (<) at ./password-recovery-lib.pl line 60.

[snip]

Use of uninitialized value $virtualmin_password_recovery::in{“id”} in pattern match (m//) at /usr/share/webmin/virtualmin-password-recovery/email.cgi line 22.
Use of uninitialized value in substitution (s///) at /usr/share/webmin/virtualmin-password-recovery/email.cgi line 154.
Use of uninitialized value in string eq at /usr/share/webmin/virtualmin-password-recovery/email.cgi line 25.

(That first error occurred only once, the other three happen each time.)

I can certainly try this without upgrading Ubuntu.

Both of these errors were generated through the following lines in email.cgi

# Check IP rate limit - allow no more than 10 tries in 5 minutes
my $err = &check_rate_limit();
$err && &error_and_exit($err);

# Check if this is a callback from an email
if ($in{'id'} =~ /^[a-z0-9]+$/i) {

The first listed error is from function call to check_rate_limit in password-recovery-lib.pl:

my $ip = $ENV{'REMOTE_ADDR'};
my $now = time();
if ($ratelimit{$ip."_last"} < $now-5*60) {

$ENV{'REMOTE_ADDR'} does not exist for at least one callback.

The second listed error, directly from email.cgi, is from:

# Check if this is a callback from an email
if ($in{'id'} =~ /^[a-z0-9]+$/i) {

id from url $in{'id'} does not match requirments (more in next post).

It looks like cgi program email.cgi got called out of context, perhaps through an internal redirection without id appended.

Without NS records you should not even have got this far.

Perhaps @Ilia can jump in.

email_eid below corresponds to ‘Invalid message ID!’ and the id is part of the link url in the password recovery email.

Can you check if the link url in password recovery emails terminates with an id, such as

https://example.com:10000/virtualmin-password-recovery/email.cgi?id=d132c04c61cb4c006ffb120fe78b84ab

If so, it is only supposed to contain a to z and 0 to 9.

If you are in a situtation where you are oblidged to use a known trusted source, such as a Ubuntu or Debian iso, then the optimal solution is to make up a bare minimum functioning server and then export the VM for further importing. There are techniques to customise names and static IPs, as well as match network macs to IP addresses in DHCP. But that is beyond the current scope.

Sorry for the delay, I had a few things this week, and thank you for taking an interest in this.

To retest this with minimal chance for “something I did”, I installed:

ubuntu-24-04-2-live-server-amd64.iso (the latest) from ubuntu.com and did no updates.

I ran the virtualmin install, I logged in and went through the configuration wizard (only changing passwords to plain-text to confirm that that part does work, if needed), otherwise all defaults.

I added a test domain and a user to that domain.

I installed the plugin.

This server’s entire command line history to that point looks like:

I went to :20000 and clicked the forgot password link.

I cat-ed the only piece of mail in /home/thisisatestdomain/homes/thisisamailuser/Maildir/new and copied and pasted this:

https://thisisatestdomain.com:10000/virtualmin-password-recovery/email.cgi?id=3D02522c4fbf049a85511636a7a52d167a

(I confirmed that such an id/file, not including the 3D, exists at /etc/webmin/virtualmin-password-recovery/links, I even chown -R 777 /etc/webmin/virtualmin-password-recovery in case it’s just a permissions problem.)

I then changed the domain to the internal IP (as I do not control that domain) and got the same error and the same miniserv.error lines. I then added that domain to my hosts file, emptied my browser cookies/history/etc restarted the browser and visited the link as pasted. Same error.

Searching Webmin Actions Log for Virtualmin Password Recovery says:

No actions matched your search for actions from module Virtualmin Password Recovery between 04/10/2025 and 04/10/2025.

Which I think you meant earlier (just noticed it now)… if not, just clicking “Search” with no changes has only the installation and creation of the domain and user related stuff, beginning with Ran post-install script and running to Created user thisisamailuser@thisisatestdomain.com with nothing about the password recovery.

It is version 1.12 as before. You mentioned a possible perl issue. Can you elaborate? (I could try installing an older perl or manually adding whatever libraries it needs.)

My journalctrl does this when I click the “Submit” button:

A7E014414A: uid=0 from=<webmin-noreply@snpwrdtest.mydomain.com>
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' resumed (module 'builtin:omfile') [v8.2312.0 try https://www.rsyslog.com/e/2359 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
action 'action-4-builtin:omfile' suspended (module 'builtin:omfile'), next retry is Thu Apr 10 19:45:39 2025, retry nbr 0. There should be messages before this one giving the reason for suspension. [v8.2312.0 try https://www.rsyslog.com/e/2007 ]
A7E014414A: message-id=<20250410194509.A7E014414A@snpwrdtest.mydomain.com>
A7E014414A: DKIM-Signature field added (s=202503, d=snpwrdtest.mydomain.com)
A7E014414A: from=<webmin-noreply@snpwrdtest.mydomain.com>, size=1125, nrcpt=1 (queue active)
A7E014414A: to=<"thisisamailuser@thisisatestdomain.com"@snpwrdtest.mydomain.com>, orig_to=<thisisamailuser@thisisatestdomain.com>, relay=local, delay=2, delays=0.36/0.01/0/1.7, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
A7E014414A: removed

It adds nothing when I click the link that tells me invalid message id.

I commented the lines:

# Check IP rate limit - allow no more than 10 tries in 5 minutes
my $err = &check_rate_limit();
$err && &error_and_exit($err);

to no effect. I commented the next section as well but that breaks it for domain then.

I believe that I misrepresented not having DNS before. Virtualmin is making the DNS as per its out of the box setup, the outside world points nothing to this, but this mail does not go to the outside world.

You have said that I shouldn’t be installing ubuntu from ubuntu.com. From where then? Your examples have me installing a favorite VM whether into a cloud host, a personal computer, or a dedicated computer. What makes this favorite VM special and where do I get one (does Virtualmin happen to have pre-configured “appliance” that I can just attach and expand for example)?

What OS and version is working for you?

Thanks.

An apt update and upgrade is fine. It won’t harm anything. We just don’t want a bunch of random extra packages installed and/or configured.

I don’t know who said that. If you’re installing on your own hardware, installing from an ISO downloaded from the Ubuntu servers is 100% fine. That’s literally how we test.

Pasted into where? Your browser on your PC or a command line for curl on the same console you did the cat?

The id is getting lost. There must be an explanation for this. One explantion is that miniserv in Virtualmin is redirecting without appending the id.

No problem with that. It is the default.

Version 1.12 is the fixed version. I don’t think it is a Perl issue. If it was it would show up elsewhere also. There is nothing special or out of the ordinary to justify that it is a Perl issue

Virtualmin have a set of pre approved of what they call grade A OS choices. Choose your favourite server version from the list. Ubuntu 24-04 is included. You need a minimal server version of whatever OS you choose. Whether you get it from an iso or saved VM image does not matter in the end. Virtualmin does extensive checks and will let you know if there is an issue.

Using an iso is tedious and error prone. I avoid them when I can. As an experiment I installed Debian 12 Bookworm from a mounted iso onto a rented VPS. It was slow process and there were issues.

I don’t know what live in ubuntu-24-04-2-live-server-amd64.iso means. Does it mean you can boot from an iso and use a temporary ramdisk as a writeable drive? If I had to use an iso I would install a minimal server onto a writeable drive, reboot and check all is OK before proceeding. If I was using a virtual machine I would save the VM image for later reuse to avoid going the iso route again

Sorry if I being confusing. I hope the above clarifies.

I use Debian 12 Bookworm with Nginx (-b LEMP install of Virtualmin). I use whatever VPS vendors offer as a preprepared image of Debian 12. Debian 12 has given me very few problems, compared to issues in the past.

I see the port below is 10000. There is no need for a redirection.

So Minserv on port 20000 (Usermin) is not redirecting to miniserv on port 10000 (Webmin/Virtualmin) without appending the id.

It does not make sense for miniserv on port 10000 to redirect when the required cgi is fully specified:

This is my explanation.

You have more than one instance of Virtualmin running say on server exampleA.com and server exampleB.com

You are generating the password reset on exampleA.com

You have an entry in an /etc/hosts file that has not updated the IP address for exampleA.com (it points to exampleB.com)

OR

The password rerset URL specifices exampleB.com, not exampleA.com