Hi – we have passwordlocation=spooldir in voicemail.conf.
How I can force users to set up a password when they first call into the voicemail app? (I tried minpassword=4, to no avail. It just goes right to the main menu with no prompting.)
The issue is that when a user with no voicemail calls into voicemail, they are prompted to enter their mailbox. If they enter the mailbox of someone else who has not configured a password, they are then granted access to that other person’s mailbox.
Similarly, how can I force the reset of a password? Or otherwise remove a password and trigger the voicemail app to prompt again for a password the next time they access it?
And in general, prevent an extension from reaching the voicemail of any extension but their own?
A new user is determined by the password being the same as the mailbox number.
In short, either forcename or forcegreet (or both) should be set to yes and the user’s password should be configured to be the same as their mailbox number. The first time they call in they will be prompted to change it.
Similarly, how can I force the reset of a password? Or otherwise remove a password and trigger the voicemail app to prompt again for a password the next time they access it?
There is no mechanism that I am aware of to do this, short of setting their password back to their mailbox number and going through the new user setup again. Of course the user would have to know their password changed back to their mailbox number for this to work.
And in general, prevent an extension from reaching the voicemail of any extension but their own?
I’m not sure on this one, but I would probably check that a mailbox with the user’s Caller ID exists (using VM_INFO()) and only if it does pass it explicitly to the VoiceMailMain(…) application. If a mailbox does not exist I believeVoiceMailMain(…) will prompt for one so you’ll want to ensure it does exist first.
Thanks! So as far as you know, if a mailbox does exist for an extension, there is no way for them to log in to a different mailbox, is that right? (I couldn’t find a way to do so through the phone tree options, but just wanting to make sure.)
That depends on what you have in the dialplan. There are at least four name spaces here, which are often aligned, but need not be: caller ID, device name, extension, and mailbox name.
So currently when someone calls a special voicemail access extension we’ve determined, they get to a section of the dialplan that checks VM_INFO() (using CALLERID(num)) for “exists” = “1”, and if that matches then it jumps to the VoiceMailMain call. Otherwise it plays a “you don’t have voicemail enabled for this extension” error.
Assuming we have 1:1 mappings between source numbers and voicemail mailbox names (and that caller ID is 1:1 and accurate), is there any way a caller into the voicemail section of our dialplan could “break out” of their voicemail mailbox and try to log in to someone else’s?
(Hopefully I’ve provided enough context for this question?)
On the available information, you haven’t ruled out that something other than the caller ID is used to identify the calling endpoint, in which case the caller ID could be spoofed. That involves endpoint definitions, and type=identify sections, as well as extension definitions.
On Wednesday 22 April 2026 at 20:24:16, chconnor wrote:
when someone calls a special voicemail access extension we’ve determined,
they get to a section of the dialplan that checks VM_INFO() (using
CALLERID(num))
Assuming … that caller ID is 1:1 and accurate), is there any way a caller
into the voicemail section of our dialplan could “break out” of their
voicemail mailbox and try to log in to someone else’s?
Your security is therefore based on Caller ID, which I suspect is not too
difficult for someone to spoof, depending on what devices they’re calling in
from, and whether they know their SIP credentials (which would allow them to
connect from another type of device on which they could more easily manipulate
Caller ID).
Antony.
–
BASIC is to computer languages what Roman numerals are to arithmetic.
Thanks! – only callers from our organization can call the voicemail line, and their ATAs are not accessible and they don’t know their SIP credentials, so in theory we’re covered, but it does seem a little fragile.
I switched to using CHANNEL(endpoint) and it seems to be working fine. Any gotchas there?