Mailbox Security: Password, Recovery Code, 2FA

Every TrekMail mailbox has a Security tab on its settings page. This is where you change the password, generate a fresh recovery code, and see whether two-factor authentication is on. Anything that protects who can sign in to that one mailbox is on this tab.

This page is for the account admin setting things up from the dashboard. If you own a mailbox and want to change your own password without bothering the admin, see Change Your Own Mailbox Password.

How to get there

1. Open the Mailboxes page in your dashboard.
2. Click a mailbox row to open its settings.
3. Click the Security tab — it's the last one in the row, after Aliases, Forwarding, Filters, Auto-Reply, and Sieve.

The tab shows three sections, top to bottom: Two-factor authentication, Mailbox password, and Recovery code.

Two-factor authentication

This section shows whether 2FA is on for the mailbox. The status is also reflected in the page header — a green "2FA on" pill means it's enabled, a muted "2FA off" link means it's not.

2FA is configured by the mailbox owner from inside webmail, not from the dashboard. We do this on purpose — the TOTP secret only ever lives between the owner's authenticator app and our server, so even an account admin can't lift it. To enable or disable 2FA:

1. The mailbox owner signs in to webmail at webmail.trekmail.net (or your tenant's branded URL).
2. From the webmail settings, they enable 2FA and scan the QR code with an authenticator app (Google Authenticator, 1Password, Authy, etc.).
3. Once confirmed, the Security tab in the dashboard immediately reflects the new state — no refresh needed.

After 2FA is on, every new sign-in for that mailbox — webmail, IMAP, SMTP — requires both the password and a fresh TOTP code. Existing sessions are not affected; if you want to invalidate them too, change the password (see below).

Mailbox password

The password section has a single form: enter a new password twice and click Save password. The form is the only way to set a mailbox password from the dashboard today — the old inline "key icon" shortcut in the mailbox list was removed in the May 2026 redesign.

Requirements (live-checked as you type):

• At least 12 characters
• At least one uppercase letter
• At least one lowercase letter
• At least one number

The Save button stays disabled until all four green checks are met.

If you'd rather not invent a password yourself, click Generate strong password under the input. We generate an 18-character mix of upper, lower, digits, and a small symbol set — no visually-confusing characters (i, l, 0, O, etc.). It's pasted into both fields automatically and revealed so you can copy it.

What changes the moment you click Save:

• Every active IMAP, SMTP, and webmail session for this mailbox is terminated immediately. The user has to re-authenticate with the new password.
• The previous password stops working everywhere — Outlook, iPhone Mail, scripts using SMTP, all of it.
• Mail in the mailbox is unaffected — no messages are deleted, no folders rearranged.

If you're resetting because of a suspected compromise, this is the lock-out moment.

Recovery code

A recovery code is a one-time string that lets the mailbox owner sign in without their password or 2FA app — useful when the user has lost their phone or forgotten everything.

The card shows:

• When the current code was issued (e.g. "Issued 3 days ago"), or "Not issued yet" if there's never been one.
• A Generate new code button.

Clicking Generate opens a confirmation dialog and then displays the new code once in the dialog. Save it immediately — once you close the dialog there's no way to retrieve it. If you lose it, just generate another (the previous one is invalidated automatically — there's only ever one active code per mailbox).

Hand the code to the user through a secure channel (password manager Send link, Signal, in person). The user then uses it on the webmail "Forgot password?" page, Recovery code mode, to set a new password themselves.

A few good habits

• Use a different password than your TrekMail dashboard sign-in. A compromised mailbox should not let anyone into your billing or other mailboxes.
• Keep the recovery code in a password manager. Not your inbox, not a sticky note — a manager that's separate from the mailbox you're protecting.
• Turn on 2FA for high-value mailboxes (support@, billing@, shared team boxes). It's the single biggest password-theft defense you can add.

What's not on this tab

Some things you might expect here actually live elsewhere — by design:

• Forwarding rules — Forwarding tab (next to Security in the tab strip). Forwarding rules are routing, not security.
• Allowed senders / blocked senders — Filters tab. The Security tab is intentionally narrow to keep "who can sign in" separate from "what comes in."
• Delete mailbox — the trash icon in the page header, top right. Sits next to Edit storage and is plan-side, not security-side.
• Account-owner sign-in 2FA — that's a different setting on Account → Security, not on the mailbox itself. The two are independent: an account-owner can have 2FA on for the dashboard while individual mailboxes don't.