¶ Authentication and Admin Access
Enable TFA for all admin accounts:
- Admin → Access → Admins
- Edit each admin account
- Click Enable TFA
- Choose method:
- TOTP: Authenticator apps (Google Authenticator, Authy)
- WebAuthn: Hardware security keys (YubiKey)
- YubiKey OTP: YubiKey in OTP mode
Enforce password requirements (example: minimum length 12):
docker compose exec mysql-mailcow mysql -u root -p"$DBROOT"
USE mailcow;
UPDATE config SET value='12' WHERE attr='password_min_length';
Configure login attempt limits:
- Configuration → Mail Setup → Access
- Set Max login attempts: 5
- Set Ban time: 3600 seconds (1 hour)