Security¶
The Security page has two distinct areas: your own administrator account security, and the security policies that apply to all mailboxes in your organization.
Your Administrator Account¶
Authenticator App (TOTP)¶
Adding an authenticator app gives your admin account a second sign-in factor. Once set up, you enter a 6-digit code from the app (Google Authenticator, Authy, or any TOTP-compatible app) each time you sign in.
To enable:
- Click Set up in the Authenticator App card.
- Scan the QR code with your authenticator app, or enter the manual key if scanning isn't possible.
- Enter the 6-digit code shown in the app and click Confirm and enable.
To disable:
- Click Disable in the Authenticator App card.
- A confirmation code is sent to your email address. Enter it and click Confirm and disable.
Password Policy¶
Controls the password requirements for all mailboxes in your organization.
| Field | Description |
|---|---|
| Minimum length | Passwords shorter than this are rejected. Default: 8 characters. |
| Max age (days) | Passwords expire after this many days. Set to 0 to disable expiry. Expiry is automatically skipped for users who have an active TOTP or passkey configured. |
| Min age (days) | Users cannot change their password again until this many days have passed. Set to 0 to allow changes at any time. |
| History (count) | The system remembers this many previous passwords and prevents reuse. Set to 0 to disable history checking. Maximum 24. |
| Expiry warning (days) | Warn users in webmail this many days before their password expires. Set to 0 to send no warning. |
Complexity Requirements¶
Check any combination of the following to require those character types:
- Uppercase letter (A–Z)
- Lowercase letter (a–z)
- Number (0–9)
- Special character (any character that is not a letter or number)
Click Save Policy to apply changes. The new policy takes effect immediately for all future password changes. Existing passwords are not invalidated — they remain valid until the user next changes their password or the password expires.
Note
Individual mailboxes can be exempted from the password policy. Set this on the Mailboxes page using the Exempt from password policy checkbox. This is useful for service accounts or shared mailboxes that use app passwords for access.
User Security Policy (MFA)¶
Requires all users in your organization to set up multi-factor authentication before they can access their accounts.
Require multi-factor authentication¶
When this toggle is on, users who have not enrolled an MFA method are blocked from signing in (after any grace period expires).
Grace period (days)¶
When MFA is required, new users and users who haven't set up MFA yet have this many days before they are blocked. Setting this to 0 enforces MFA immediately.
Acceptable MFA methods¶
Choose which methods users can use to satisfy the MFA requirement. At least one must be checked:
| Method | Description |
|---|---|
| Authenticator app (TOTP) | A time-based one-time code generated by an app like Google Authenticator or Authy |
| Passkey (Windows Hello, Touch ID, etc.) | A device-bound credential stored in the user's browser, phone, or hardware key |
| Recovery email OTP | A one-time code sent to the user's personal recovery email address |
The enrollment summary at the bottom of this section shows how many of your active mailboxes currently have MFA enrolled.
Click Save Policy to apply changes.