Admin Guide: Reset a TrekMail Mailbox Password

If a mailbox user (employee, family member, client) forgets their password or you need to lock out a compromised account immediately, you can reset the mailbox password directly from your TrekMail dashboard. This guide covers the two reset approaches — direct password set vs issuing a one-time access code — plus when to use each, how to deliver the new credentials safely, and what to do during a security incident.

This is the mailbox password (used in webmail, Outlook, iPhone, etc.) — not the TrekMail dashboard sign-in password, which is account-owner-only and self-service.

When to do this

• A user forgot their mailbox password and didn't have a recovery code or recovery email to self-reset. Most common case.
• Security incident — you suspect a mailbox has been compromised (phishing, leaked password). You want to lock out the attacker immediately, regardless of what the legitimate owner remembers.
• Offboarding — an employee left. You want to control the mailbox going forward, so you set a password only you know (then later either delete the mailbox or transfer ownership).
• New device setup — the user wants a fresh password for a clean device setup.

Path 1 — Reset directly with a known new password

The fastest path. You pick the new password, the mailbox is updated, you hand it to the user.

1. Open the Mailboxes page in your dashboard.
2. Click the mailbox row to open its settings (search by address first if needed).
3. Click the Security tab — it's the last one in the tab strip, after Aliases, Forwarding, Filters, Auto-Reply, and Sieve.
4. In the Mailbox password card, type the New password twice — or click Generate strong password under the field to create a random one.
5. Click Save password.

The button only enables once your new password meets every requirement (live-checked as you type). The change applies instantly: every IMAP, SMTP, and webmail session for this mailbox is terminated and the old password stops working.

Password requirements (live-checked, all four green checks must pass):

• At least 12 characters.
• At least one uppercase letter.
• At least one lowercase letter.
• At least one number.

Click Generate strong password if you'd rather not invent one. We produce an 18-character mix of upper / lower / digits / a small safe symbol set — no visually-confusing characters like i, l, 0, or O. The result is auto-filled in both fields and revealed so you can copy it before saving.

The old key-icon shortcut in the mailbox list was removed in the May 2026 redesign; the Security tab is now the single place to do this from the dashboard. See Mailbox Security for the rest of what lives on that tab.

Path 2 — Issue a one-time recovery code for self-service reset

Useful when:

• You don't want to know the user's new password (the user picks it themselves).
• You're remote / async and prefer the user complete the reset on their own time.
• You need an audit trail of "user reset themselves with admin permission" rather than "admin set the password".

1. Open the mailbox settings → Security tab (same place as Path 1).
2. Scroll to the Recovery code card.
3. Click Generate new code. The new code is shown once in the dialog — copy it before closing.
4. Send the code to the user via a secure channel (see "Delivering the new password safely" below).
5. The user goes to the webmail login page → Forgot password? → Recovery code mode → enters the code → sets their own password.

The code is single-use. After the user redeems it, it's consumed; subsequent attempts to use the same code fail.

If the user loses the code or doesn't get to it in time, just issue another. There's no limit on how many codes you can issue, but each one is independent.

Path 3 — Use the recovery email (user-side flow)

If the mailbox has a recovery email configured (set during mailbox creation or by the user in webmail settings), the user can reset on their own without you doing anything. They go to the webmail login → Forgot password? → Recovery email mode → enter their TrekMail address → receive a reset link in their recovery inbox.

This is the most hands-off approach for you. Encourage users to set a recovery email when they first log in — it eliminates support tickets.

Delivering the new password safely

Whichever path you choose, you'll need to communicate something (a password or a code) to the user. Don't email it in plaintext.

Safe channels:

• Password manager sharing (1Password Teams, Bitwarden Send) — encrypted, expires after view.
• Signal, WhatsApp, iMessage — end-to-end encrypted DM.
• Bitwarden Send / similar — generate a one-time link that destroys after first view.
• In person / over phone — fine for short codes or generated passwords.

Avoid:

• Plain email — readable if the user's inbox is compromised, exactly the situation you're often trying to fix.
• Slack public channels — long retention, searchable by anyone in the workspace.
• SMS — fine for short codes but be aware SMS isn't end-to-end encrypted.

What happens immediately on a password reset

• Old password stops working for all protocols (IMAP, SMTP, webmail) within ~1 minute. Stale clients begin to fail authentication.
• Active webmail sessions continue running on the old session token. They're NOT automatically signed out. If you're resetting for a security incident, this is important: the attacker may still be logged in via a stolen session even after you change the password. Sign out all active sessions if your dashboard offers that option, OR delete the mailbox and recreate (nuclear but works in extreme incidents).
• No emails are lost. Everything in the mailbox (inbox, sent, folders, rules, contacts) is preserved. Only authentication credentials change.

During a security incident

If you believe a mailbox has been compromised, do all of this:

1. Reset the password (Path 1) with a strong generated password. Use a value the user doesn't know yet.
2. Generate new recovery code if the user has one — invalidates the old one.
3. Sign out all webmail sessions for that mailbox if your dashboard offers a "Force sign-out" button. If not, you may need to delete-and-recreate the mailbox to invalidate session tokens.
4. Review mail rules and forwards on the mailbox — attackers often set forwarding to their own address to siphon copies of future mail. Look in webmail or via Mail Rules.
5. Check Sent folder for messages the attacker may have sent in the user's name. Delete them if they're spam/phishing; otherwise document for forensics.
6. Notify the user through a secondary channel (their phone, in person). Explain what happened.
7. Enable 2FA on the user's account-owner login if applicable. While you can't enforce 2FA on the mailbox level, you can enforce on dashboard sign-in.

Common mistakes after the reset

• User goes to the dashboard URL instead of webmail with their new mailbox password. The dashboard wants the account-owner password, not the mailbox password. Make sure the user knows: webmail is at https://webmail.trekmail.net (or your branded URL); dashboard at https://trekmail.net.
• User updates Outlook but Outlook keeps using cached old password. Windows Credential Manager (Control Panel → Credential Manager → Windows Credentials) caches IMAP/SMTP creds. Delete imap.trekmail.net and smtp.trekmail.net entries before testing the new password.
• Phone keeps showing "couldn't verify password" notification. Re-add the mail account on the phone — don't just update password — some mobile clients (older Apple Mail builds especially) handle credential update poorly.

What you can't do

• You can't see the user's existing password — passwords are hashed; we don't store recoverable cleartext. The only way to "tell a user their password" is to set a new one (Path 1) or issue a code (Path 2).
• You can't reset a password for a mailbox on another account — admins can only reset mailboxes on accounts they own/admin.
• You can't bypass password complexity even with Path 1 — the same requirements apply (8 chars, mixed case, numbers, not compromised). The Generate button always produces a compliant password.

Audit trail

Every admin-initiated password reset is logged with the timestamp, the admin user, the mailbox affected, and the source IP. View these from the Audit log if your account has that feature exposed (typically Pro / Agency plans). Useful for security forensics or compliance reporting.