The OpenSRS webmail platform includes a password recovery system that lets end users regain access to their mailbox when they forget their password. As a reseller, you control which recovery options are available to your users by configuring brand settings in the Mail Administration Console (MAC). This article explains how to enable password recovery and how each recovery method works for your end users.
How password recovery works
Password recovery is disabled by default for all mailboxes. Once you enable it at the brand level, your users see a new Password Recovery section in their webmail preferences where they can configure one or more recovery methods: SMS, alternate email, or challenge questions. If a user later fails to authenticate, a password reset link appears on the webmail login page that lets them use any method they have configured.
Note: SMS, Email, and Challenge-Response options can be enabled individually or in any combination.
Before you begin
- You need access to the Mail Administration Console (MAC) for your reseller account.
- You need to know which brand the changes should apply to. Settings are configured per brand and inherited by associated domains and companies.
- Decide which recovery methods you want to extend to your users.
Enable password recovery for a brand
- Log in to the Mail Administration Console for your reseller account.
- Click Brands in the left navigation.
- Select the brand you want to update.
- Under Services and Settings, select the Password Recovery options you want to extend to your users.
- Click Update to save the changes.
Recovery methods
SMS recovery
When a user enables SMS recovery, they enter an internationally formatted phone number and their current password. OpenSRS sends an SMS containing a verification code to that number; the user must enter the code to complete setup.
Phone format: +CCCNNNNNNNNNN, where C is the country code and N is the phone number.
If the user later fails to log in, a password reset link appears on the login page. Clicking it shows an SMS button that sends a code to the configured phone. The login screen then loads fields for entering the code and setting a new password.
Email recovery
When a user enables email recovery, they enter an alternate email address and their current password. OpenSRS sends a verification code to that address, which the user enters on the preferences page to finish setup.
If the user later fails to log in, the password reset link on the login page shows an Email button that sends a code to the alternate address, then loads fields for entering the code and setting a new password.
Challenge-response recovery
When a user enables challenge-response recovery, they configure one or more security questions and answers and confirm their current password. If they later fail to log in, the password reset link shows a Challenge button that loads the question, answer field, and new-password fields.
Warning: OpenSRS does not recommend enabling challenge-response recovery. Social engineering techniques can let an attacker answer the security questions and take over the account. The option is provided because of demand from resellers, but consider SMS or email recovery first.
Next steps
- Communicate the change to your end users. Once you enable password recovery, users see a new preferences section but will not know to configure it unless you tell them.
- Review related password articles. See End-User Password Reset FAQ for guidance you can share with end users about resetting their passwords.
- Plan for required resets. See Required Email Password Reset FAQ for how OpenSRS handles forced resets on weak or compromised passwords.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.