This article reviews enforcing secure passwords within SmarterMail 8. EdgeWeb Hosting highly recommends a password policy for email servers due to the ease of compromising poor passwords. This can also prevent blacklists if a user is compromised due to a poorly chosen and insecure password.
Dedicated, Colocated, and Virtual Machines running the Windows Operating System with SmarterMail 8 installed.
- Log into SmarterMail admin as the system administrative user. This is typically located at http://<server_ip_address>:9998 or http://mail.domain.com (depending on how the server is configured).
- Navigate to Security > Advanced Settings > Password Requirements. By default, this is set to 5 characters and requiring that the password not match the username. Thus, this is stating that a password of "password" is secure, which is untrue.
- EdgeWeb Hosting recommends at least 8 characters with a number, capital, and symbol in the password. We also recommend that it not match the username. Configure the settings as you see fit.
- Once done, click Save. In changing these settings, this will become effective immediately for all webmail users. This will not affect users which use Outlook, Thunderbird, Mail, and any other third-party client. Once a user attempts to log into webmail with an insecure password, s/he will be prompted to change the password to meet the security requirements before proceeding.
- To send an email to those users who do meet the requirements, go back to Settings > System Messages > Password Violation (depending on the version of SmarterMail). A list of users out of compliance will be listed and can be emailed from the server as an administrative user to update their passwords immediately.