The user's Passwords tab lets you set the passwords for the user and some password-related settings.
The Main Password is the password used by SMTP, POP3 & IMAP4 email clients. It is also used for Webmail & administrator logins if the Have different 'Main Password' and 'Web Password' option is not checked.
The password has to be at least a certain length. This minimum length is set in the security settings. The password cannot contain spaces but can contain any other character. No other checks (eg password strength checks) are performed by VPOP3 by default. It is possible to have a Lua script to check whether a new password is suitable.
The Generate button will make VPOP3 generate and display a random password. The Display button will display a password as it is being entered. It will not display a previously-entered password.
The Web Password options are the same as for the Main Password and are enabled if the Have different 'Main Password' and 'Web Password' option is checked.
The Have different 'Main Password' and 'Web Password' option lets you indicate that the Webmail & administrator password is different from the POP3/SMTP/IMAP4 password. This can be used if a very secure and not-memorable password is set for the POP3/SMTP/IMAP4 password, is programmed into email clients and the administrator does not want the user to be able to change it. The user should never need to re-enter this password once it has been configured into the email client software so, in some environments, the user may not even know what this password is. Users may still need to be able to log into Webmail so the password for that may need to be more memorable and the user may wish to reset this password, so allowing the passwords to be different will allow this password to be reset without stopping the email client from logging in.
If the User can change Main Password through WebMail option is checked then the user can change their Main Password through Webmail even though they are logging in with a different Webmail password. If the Main Password is the same as the Web Password, then the user can always change that password, and if the two passwords can be different, then the user will always be able to change their Web Password. There is no way to prevent the user from changing the password they use to log into Webmail. This is deliberate because that password is more likely to be compromised if the user has to remember and enter it.
If a user forgets their password they can ask for a password reset email on the Webmail login page. By default this password reset email will be sent to their VPOP3 mailbox. If they have message forwarding set up then this message will be forwarded as normal, or if their email client is still configured with a correct password they will be able to see the password reset email. However, if other cases they will not be able to access the password reset email, because they will need to know the password to be able to access the email. So, if you put an alternative email address in the Email for password resets box, then password reset email will be sent to this alternative email address instead of into the VPOP3 mailbox.
If all VPOP3 administrators have forgotten their passwords, then see the Lost Administrator Password topic for help.
When changing passwords in VPOP3 it is important to note that the security features of VPOP3 can cause problems. Often email clients or mobile devices will try to log into VPOP3 periodically. If you change the password in VPOP3, then these devices will attempt to log in with the old (now incorrect) password until the password is changed in those as well. This can cause VPOP3 to lock accounts or block IP addresses.
If you cannot stop email clients from attempting to log in, it can sometimes be worth temporarily increasing the attack detection thresholds in VPOP3. If you go to the Security Settings in VPOP3, and increase the Lock user after value on the General tab and the Failed login threshold on the Intrusion Protection tab, eg to 1000, then that should prevent VPOP3 from blocking the account or IP address. Remember to reset the security settings back to their previous values afterwards.