The users page shows all users for which there is a mailbox. Webmail Messenger will automatically add a new user object the first time an email is sent to the user.
A user can be deleted by clicking the “red cross” icon or by selecting the user and then clicking Delete selected
Deleting a user object does not result in the removal of the users mailbox. After a re-sign up, the user has access to all old emails. To completely delete all email for a user, remove the complete mailbox.
Email for a user is stored in the users mailbox. The available mailboxes can be listed and managed by clicking Mailboxes on the “Users” page. On the “Mailboxes” page, the available mailboxes will be shown. The following mailbox details will be listed: “Disk usage”, “Email”, “Mailbox”
Only 10 mailboxes will be shown at the same time. Use the mailbox filter to search for specific mailboxes.
- Disk usage
The total disk size of the mailbox. The total size of the mailbox is limited by the quota for the user.
The email address associated with the mailbox.
The directory where the mailbox is stored (as a sub directory of
Deleting a mailbox only deletes the email of that user. The login account is however not removed.
The mailbox filter can be used to search for specfic mailboxes.
- Hide active mailboxes
If “Hide active mailboxes” is set, only mailboxes will be shown for which the password is set. This can be used to remove mailboxes for users which never logged in.
For every Webmail Messenger user, a user object and mailbox is created. Email for a Webmail Messenger user is stored on the file system. To make sure that Webmail Messenger does not run out of disk space, it’s advised to periodically remove user accounts and mailboxes of users who haven’t logged in for a long time.
On the “User cleanup” page, users who have never logged or for which the last login has been some time ago can be deleted. Filtered users can be deleted by selecting the user and clicking “delete” selected.
The “User cleanup” page can be used to remove users and the associated inboxes. It is possible to configure Webmail Messenger to periodically delete old email for a user. This helps to prevent running out of disk space. See Auto cleanup for more information.
This field can be used to only show users which were created within a certain date range.
- Last login
This field can be used to only show users for which the “last login” field is set within a certain date range.
- Last login should not be set
If set, only users will be shown who never logged in.
- Password should not be set
If set, only users will be shown for which no password was set.
If an inherited setting should be explicitly set or modified for a domain, a domain object should be created. In most setups, there is no reason to add a domain.
The name of the sub-directory, under
/var/vmail/, where the email for the user is stored.
The total disk size in bytes of the user mailbox.
The current disk quota for the user.
The date the user object was created.
The last login date of the user. Set to
never if the user never logged in.
Password is set¶
If visible, a password is set for the user. The administrator can change the user password by clicking Change password.
Password is not set¶
If visible, a password is not yet set for the user. The administrator can set the user password by clicking Set password.
Min. password strength (in bits)¶
To make sure that the password of a webmail account is strong enough, some checks on the password strength are executed when a new password is set by the user.
A new webmail password is only accepted if the password:
Is not based on the email address of the account.
Does not contain a QWERTY keyboard sequence of more than 5 characters.
Does not contain more than 5 duplicate characters in a row
Is of sufficient strength in bits
In the last step, an estimation of the password strength is done using the algorithm from “NIST Special Publication 800-63”. If the estimation is lower than the defined “Min. password strength”, the password is not accepted.
The password strength estimation is not executed when the password is set by the administrator. The administrator should make sure that the selected password is strong enough.
Default portal login action¶
The “Default portal login action” determines which page is opened after the user logged in. The following options can be selected: Portal, Webmail (the default).
Use notification sender¶
If set, the initial sign-up email and the “new email” notification messages will be sent using the configured “Notification sender” as the sender, i.e., the “from” header and the envelope sender will be set to the email address configured under “Notification sender”.
If “Use notification sender” is set, the envelope sender is changed to the email address configured under “Notification sender” and the from header is rewritten to:
"in name of firstname.lastname@example.org" <email@example.com>
firstname.lastname@example.org is the original sender address and
email@example.com is the address configured under “Notification sender”.
If “Use notification sender” is not set, the initial sign-up email and the “new email” notifications from header and envelope sender address will be set to the same value as the original email.
If selected, the user is allowed to login. This can be used to temporarily disallow a user to login without having to remove the user account.
This is the email recipient address to which the tunnelled S/MIME message will be sent from the CipherMail gateway. “Relay recipient” must match the “Webmail recipient” setting configured on the CipherMail gateway. It is advised to use the value configured by the initial setup wizard.
Portal base URL¶
The base URL for the user sign-up and password reset pages. This should normally be set to the fully qualified domain name (or IP address) of the server.
If “Use notification sender” is enabled, the from and envelop sender of the sign-up email and “new email” notifiction emails will be set to the value configured under “Notification sender”.
Webmail error recipient¶
If an email cannot be handled by the gateway, for example the email from the gateway is not correctly signed, a notification email to the “Webmail error recipient” will be sent.
Initial login allowed¶
By default, a user is allowed to login after signing up. By disabling “Initial login allowed”, the user is allowed to sign-up but not allowed to login after signing up.
“Initial login allowed” can be used for additional security. The first email sent to an external user allows the user to sign-up and read the email. If the first email however is sent to the wrong recipient, the recipient might have access to the sensitve email. By disabling “Initial login allowed”, the recipient is allowed to sign-up but not allowed to login. The sender of the email should then use additional means to check whether the correct recipient has signed-up and then enable the login for the user by selecting “Login allowed” for the user account.
The “Server secret” is used to protect external resources against tampering (using the HMAC algorithm). For example the sign-up link in the sign-up message is protected to make sure that a recipient cannot change the URL. A global server secret will be automatically generated the first time the server starts. The server secret is a required setting. In most setups there is no need to override the inherited server secret.
The “Client secret” is used for generating one time passwords for a recipient. A “Client secret” is automatically generated if needed.
If set (the default), the user is allowed to open the Webmail inbox. If not set, the user is allowed to login into the portal (assuming that “Login allowed” is set) but is not allowed to open the Inbox.
This setting is used if you only want to use Webmail Messenger for PDF encryption.
If set, a read receipt will be sent when the user opens the email for the first time.
Rewrite reply sender¶
By default, a reply from a Webmail user is sent with the envelope sender and from address set to the real email address of the user.
If “Rewrite reply sender” is set, the envelope sender is changed to the email address configured under “Reply sender address” and the from header is rewritten to:
"in name of firstname.lastname@example.org" <email@example.com>
firstname.lastname@example.org is the original sender address and
email@example.com is the address configured under “Reply sender address”.
“Rewrite reply sender” should be used if the SMTP server which receives the reply emails, i.e., the SMTP server defined in “Webmail relay host”, contains anti-spoof or anti-spam checks (for example SPF or DKIM checks).
Send new mail notification¶
If “Send new mail notification” is set (the default), a “new mail” notification email will be sent to the user if a new mail is available. If “Send new mail notification” is not set, a notification email will not be sent.
“Send new mail notification” can be disabled if the recipient wants to keep it “secret” that the recipient has a Webmail Messenger account. If “Send new mail notification” is disabled, the recipient however needs to periodically login to check whether there are new emails.