For now, the feature does not work in HTML mode (so it it bypassed). At some point, the feature will be available to users so they can pick a good new password instead of "fighting PAM" until it accepts the new password.
A sample password generator is supplied with Linuxconf. It uses /dev/urandom to generate a somewhat ASCII password. But the apg project generates far more usable passwords.
The module auto-magically move old configuration (stored in /etc/conf.linuxconf) to /etc/mail/trusted_users when you change the configuration. There is no migration tool needed.