89.1 Mailbox Passwords

When you are setting up a new GroupWise system, you need to determine what kind of password protection you want to have on users’ GroupWise mailboxes before users start running GroupWise. In the GroupWise Admin console, you can choose where password information is obtained when users log in to GroupWise, and you can set defaults under Client Options to enforce your choices. You and GroupWise client users should keep in mind that GroupWise passwords are case sensitive.

89.1.1 Using Post Office Security Instead of GroupWise Passwords

When you create a new post office, you must select a security level for it.

If you select GroupWise Authentication (the default), you can set a default password on mailboxes. For instructions, see Section 52.1, Establishing a Default Password for All New GroupWise Accounts. Users can then set their own passwords after they log in.

If you select GroupWise Authentication and also select Allow Login from users with No Password, you create passwordless mailboxes. This is not recommended except for testing purposes.

If you select LDAP Authentication for the post office, users are still not required to set passwords on their GroupWise mailboxes, but they are required to be successfully logged in to a network before they can access their mailboxes.

89.1.2 Requiring GroupWise Passwords

Users are required to set passwords on their GroupWise mailboxes if they want to access their GroupWise mailboxes in any of the following ways:

  • Using Caching mode or Remote mode in the GroupWise client

  • Using their web browsers and GroupWise WebAccess

  • Using an IMAP email client

89.1.3 Managing GroupWise Passwords

When GroupWise passwords are used in addition to network passwords, there are a variety of things you can do to make GroupWise password management easier for you and to make the additional GroupWise password essentially transparent for your GroupWise users.

NOTE:A GroupWise password can contain as many as 64 characters and can contain any typeable characters.

Establishing a Default GroupWise Password for New Accounts

If you want to require users to have GroupWise passwords on their mailboxes, you can establish the initial passwords when you create the GroupWise accounts. In the GroupWise Admin console, you can establish a default mailbox password to use automatically on all new GroupWise accounts. For more information, see Section 52.1, Establishing a Default Password for All New GroupWise Accounts. Or you can set the password on each new GroupWise account as you create it.

Keep in mind that some situations require users to have passwords on their GroupWise mailboxes, as listed in Section 89.1.2, Requiring GroupWise Passwords.

Accepting eDirectory Authentication Instead of GroupWise Passwords

When you create users in NetIQ eDirectory, you typically assign them network passwords, which users must provide when they log in to the network. If you want to make it easy for client users to access their GroupWise mailboxes, you can select Use eDirectory Authentication Instead of Password (GroupWise Admin console > Domain object, Post Object, or User object > Client Options > Security > Password). This allows GroupWise users to select No Password Required with eDirectory (GroupWise client > Tools > Options > Security > Password).

NOTE:This option is not available in GroupWise WebAccess.

As long as users who select this option are logged into eDirectory as part of their network login, they are not prompted by GroupWise for a password when they access their GroupWise mailboxes. If they are not logged in to eDirectory, they must provide their GroupWise passwords in order to access their GroupWise mailboxes.

Using Novell SecureLogin to Handle GroupWise Passwords

If users have Novell SecureLogin installed on their workstations, you can select Enable single sign-on (GroupWise Admin console > Domain object, Post Office object, or User object > Client Options > Security > Password). This allows GroupWise users to select Use Single Sign-On (GroupWise client > Tools > Options > Security > Password). Users need to provide their GroupWise mailbox password only once and thereafter SecureLogin provides it for them as long as they are logged in to NetIQ eDirectory.

NOTE:This option is not available in GroupWise WebAccess.

Using Intruder Detection

Intruder detection identifies system break-in attempts in the form of repeated unsuccessful logins. If someone cannot provide a valid user name and password combination within a reasonable time, then that person probably does not belong in your GroupWise system.

Intruder detection for the GroupWise client is performed by the POA and is configurable. You can set the number of failed login attempts before lockout, the length of the lockout, and so on. If a user is locked out, you can re-enable his or her account in the GroupWise Admin console. See Section 15.3.5, Configuring Intruder Detection.

Intruder detection for the GroupWise WebAccess is built in and is not configurable. After five failed login attempts, the user is locked out for 10 minutes. If a user is locked out, the user must wait for the lockout period to end.

Resetting GroupWise Passwords

You can remove a user’s password from his or her mailbox if the password has been forgotten and needs to be reset (GroupWise Admin console > User object > Client Options > Security > Password). If necessary, you can remove the passwords from all mailboxes in a post office (GroupWise Admin console > Post Office object > Maintenance > Mailbox/Library Maintenance > Reset Client Options) This resets all or users’ client options settings, not just the passwords.

It is easy for GroupWise users to reset their own passwords (GroupWise client > Tools > Options > Security > Password). However, if this method is used when users are in Caching or Remote mode, this changes the password on the local Caching or Remote mailboxes, but does not change the password on the Online mailboxes. To change the Online mailbox password while in Caching or Remote mode, users must use a method they might not be familiar with (GroupWise client > Accounts > Account Options > Novell GroupWise Account > Properties > Advanced > Online Mailbox Password).

It is also easy for GroupWise WebAccess users to reset their own passwords (WebAccess > Options > Password). However, you might not want users to be able to reset their GroupWise passwords from web browsers. See Section 76.2.3, Preventing Users from Changing Their GroupWise Passwords in WebAccess. GroupWise client users cannot be prevented from changing their GroupWise passwords.

Synchronizing GroupWise Passwords and LDAP Passwords

There is no automatic procedure for synchronizing GroupWise passwords and LDAP passwords. However, if you use LDAP authentication, synchronization becomes a moot point because GroupWise users are authenticated through an LDAP directory such as NetIQ eDirectory and Microsoft Active Directory, rather than by using GroupWise passwords. See Section 89.1.4, Using LDAP Passwords Instead of GroupWise Passwords.

Helping Users Who Forget Their Passwords

The WebAccess Login page includes a Can’t log in link, which provides the following information to WebAccess users by default:

If you have forgotten your GroupWise password, contact your local GroupWise administrator.

For your convenience and for the convenience of your WebAccess users, you can customize the information that is provided by the Can’t log in link. For set instructions, see Section 76.2.4, Helping Users Who Forget Their GroupWise Passwords.

89.1.4 Using LDAP Passwords Instead of GroupWise Passwords

Instead of using GroupWise passwords, users’ password information can be validated using an LDAP directory. In order for users to use their LDAP passwords to access their GroupWise mailboxes, you must define one or more LDAP servers in your GroupWise system and configure the POA for each post office to perform LDAP authentication. For more information, see Section 15.3.4, Providing LDAP Authentication for GroupWise Users.

When LDAP authentication is enabled, you can control whether users can use the GroupWise client to change their LDAP passwords (GroupWise Admin console > System > LDAP Servers > select an LDAP object > LDAP Authentication tab > Disable LDAP Password Changing). If you allow them to, GroupWise users can change their passwords through the Security Options dialog box (GroupWise client > Tools > Options > Security) or on the Passwords page (GroupWise WebAccess > Options > Password). If you do not allow them to change their LDAP passwords in the GroupWise client, users must use a different application in order to change their LDAP passwords.

You and users can use some of the same methods to bypass LDAP passwords as you can use for bypassing GroupWise passwords. See Accepting eDirectory Authentication Instead of GroupWise Passwords.

For more information about LDAP passwords, see Section 91.2, Authenticating to GroupWise with Passwords Stored in an LDAP Directory.

89.1.5 Bypassing GroupWise Passwords with Single Sign-On

For single sign-on information, see Section 54.0, Configuring Single Sign-On.

89.1.6 Bypassing GroupWise Passwords to Respond to Corporate Mandates

Sometimes it is necessary to access user mailboxes to meet corporate mandates such as virus scanning, content filtering, or email auditing that might be required during litigation. These types of mailbox access are obtain using trusted applications, which are third-party programs that can log into POAs in order to access GroupWise mailboxes. For more information about a using trusted application to bypass mailbox passwords, see Section 4.22, Trusted Applications