To keep the OpenSRS email platform secure, OpenSRS periodically requires password resets for mailboxes with weak or compromised passwords. When a reset is triggered, OpenSRS notifies the impacted end users on your behalf and lets you know in advance. This FAQ explains how the reset cycle works, what notices are sent, and how to customize them in the Mail Administration Console (MAC).
How required password resets work
Affected users are placed in a 30-day "password reset state." During that period, OpenSRS sends three email notifications encouraging the user to change their password to one that meets current requirements. If the user does not update their password within 30 days, the mailbox is suspended for outbound mail; inbound mail continues to be received.
While in the reset state, users who log in to webmail are redirected to the password reset page and cannot access other webmail features until they update their password.
What are the password requirements?
All mailboxes are required to have a current password that meets the following requirements:
- A minimum of ten characters
- At least one number
- At least one capital letter
- At least one symbol or special character
What notices are sent to end users?
OpenSRS sends three email notices during the 30-day reset window. You have full control over the sender, subject, and content of each.
Notice | Content |
|---|---|
Initial 30-day notice | The first email, sent to affected users advising them to update their password. |
14-day reminder | The second email, reminding users to change their password. |
Email service suspension notice | The final email, confirming that the email service has been suspended. |
Customize the notices
You can customize all aspects of the three emails, including the sender address, the subject line, and the body content. You can add your own HTML and CSS to reflect your brand.
Warning: Do not include JavaScript in custom email content. It is not supported and may cause delivery or rendering issues.
Note: If you do not customize the notices, OpenSRS sends them using default content and configuration. Default content is translated into the language set on each end-user mailbox. Customized content is sent as-is to all users regardless of their language.
When drafting your own copy, you can pull from the OpenSRS white-label content. The white-label content differs from the default end-user emails sent from the MAC.
Customize in the MAC
Under basic settings, the Unique password reset URL field lets resellers with their own password portals supply a URL that will be merged into the default reset notices.
When you customize notices in the MAC, your brand styling is not pulled in automatically. By default the emails are sent as plain text, but you can add HTML tags to control the look and feel. You can edit the following per email:
- From email address
- Subject line
- Email 1 content — initial password reset email
- Email 2 content — suspension reminder, two weeks before suspension
- Email 3 content — account suspended
Test your customizations
After you save your changes, click Send test emails, then enter the address where you want to receive the test messages for review. Send tests to yourself before relying on the customized notices for a real reset cycle.
Next steps
- Customize and test your notices early. Default copy works, but branded notices reduce confusion and support tickets.
- Share the end-user FAQ. Point impacted users to the End-User Password Reset FAQ so they know how to reset their password.
- Offer recovery options. Enable SMS or alternate-email recovery so users can self-serve if they forget their new password. See Email Password Recovery System.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.