Skip to content

Forgot Password Feature

Note

This feature requires a mailcow installation at 2024-08!

The currently installed patch level can be viewed in the mailcow versions since 2022 within the UI.

Preface

Thank You!

This functionality was integrated into mailcow due to the Youth Foundation Baden-Württemberg (Germany) as part of a sponsored development in August 2024.

Thank you for sponsoring this feature!

With the "Forgot Password" function, mailbox users can request a link to reset their password by providing a backup email address and then reset their password.

Requirements

To activate and use this feature for a user, the following must be noted:

  1. The mailcow administrator must have configured a sender email and a subject (see below). The sender email does not need to exist as a mailbox; however, the domain must be fully set up in mailcow to ensure that sending and especially delivery of emails is guaranteed.
  2. The mailbox user must have a backup email address set in their options. This can be done by the user themselves (if the corresponding ACL is not disabled) or by the administrator.
  3. The backup email should be different from the email address of the account for which the password is to be reset.
  4. The backup email must also be able to receive external emails and should, if possible, be from a different provider and not directly on the mailcow server (this point is optional and serves only as a recommendation).
  5. The user must have access to the backup email's mailbox since the links are only valid for a limited time.

Configuration Options in the mailcow UI

Mailbox Settings

This feature adds a new field to the mailbox options:

New mailcow UI field for setting a backup email in the mailbox edit window

Attention

Reminder: This field MUST be filled in for the user to reset their password! If it is not set, they will not be able to reset their password!

For administrators, there is a new ACL that can be set either per mailbox afterwards or as a template for mailboxes: Allow management of the password recovery email: New mailcow UI ACL for controlling whether a mailbox user can change the backup email themselves or not

Note

If a user has already set a backup email but the admin removes this ACL from them, they can still reset their password since the backup email remains in the system. The ACL does not automatically forbid the possibility of resetting the password if there is an email!

To achieve this, the backup email for the user must also be removed by an administrator.

Server Settings

The mailcow administrator can also edit the template for the "Forgot Password" emails, similar to the quota and quarantine emails, to customize how the emails are sent. By default, the template is always in English.

This can be accessed under the tab: System -> Configuration -> Settings -> Password Settings:

New mailcow UI settings section where the administrator can customize the email templates for the Forgot Password feature

Hidden Settings (not in the mailcow UI)

By default, each user can request a maximum of 3 password reset tokens, which are valid for 15 minutes.

Server administrators can configure the expiration time and the maximum tokens per user.

For this, a file named vars.local.inc.php must be created in the folder MAILCOW_ROOT/data/web/inc if it does not already exist.

This file must contain at least the following:

<?php

// Maximum number of password reset tokens that can be generated at once per user
$PW_RESET_TOKEN_LIMIT = 3; // Change this number to another value

// Maximum time in minutes a password reset token is valid
$PW_RESET_TOKEN_LIFETIME = 15; // Change this number to another value. Value in minutes

The file is automatically loaded, no restart of mailcow or any of the containers is required!