To get to this screen, go to Users -> Security Settings.
The User Security settings let you define how user security in VPOP3 works.
The Minimum Password Length tells VPOP3 how many characters should be specified. This can be set to any value between 3 characters and 16 characters. Note that this setting only applies to password changes after the setting is changed, it does not affect passwords which were set before this setting was defined.
The Account Lockout Policy lets VPOP3 automatically lock out users temporarily from accounts if there are a certain number of invalid login attempts. This facility makes it much harder to guess passwords using a 'brute force' method.
The Lock user after X invalid login attempts option tells VPOP3 how many login attempts are allowed before it will lock out the user. This can be set to any value between 1 and 99. When a password is entered correctly (before the lockout has occurred) the login attempt count will be reset.
The Lock user for X minutes option tells VPOP3 how long a user should be locked out once the specified number of invalid login attempts has been reached. This can be set to any value between 1 and 9999 minutes.
The Apply account lockout policy to WebMail/Admin even when connecting from 127.0.0.1 option tells VPOP3 to allow the administrator An Administrator is a VPOP3 user who is allowed to change VPOP3 settings, add/remove users, view queued messages etc. to be locked out, even when accessing the WebAdmin settings using the 127.0.0.1 loopback address on the same computer as VPOP3. Usually it is not recommended that this option is selected as it could cause problems for administrators if it is set, but if the VPOP3 server is publicly accessible it may be worth setting this option anyway.
If a user is locked out because of invalid login attempts, the User Selection page in the settings will show a padlock next to the user name, you can unlock the user by editing the user and clearing the Account Locked Out box.
VPOP3 can allow users to access their mailboxes using NT passwords, if VPOP3 is running as an NT service.
The Allow NT Passwords option tells VPOP3 to allow either the VPOP3 password or the NT password.
The Cache NT Passwords tells VPOP3 to copy the NT passwords into the VPOP3 database as it encounters them. This may make network access quicker as VPOP3 will not need to keep querying the NT user database, but it will also reduce security as the passwords will be stored in two places (the NT database and the VPOP3 database). The VPOP3 user database is encrypted, but probably not as strongly as the NT database, so the Cache NT Passwords option should probably be disabled.
