9.4 Accounts Tab

Expire unused accounts after how many days: Enabling this will remove ANY account, including admin, not logged into for the set number of days (0=never expire)

Disable new accounts: will prevent new accounts from being enabled by default.

Prohibited logins: Block specific users from logging into Retain. Enter the username or email address and add or select and press Remove selected address.

Password strength

Open System vs. Closed System

Normally, Retain lets all mail system users log in. This is considered to be an “open” system. When that happens, Retain will check to see if a Retain account already exists and if not, it will create a new account for them and assign them to the group default.

Sometimes, you don’t want certain users to have access to the Retain archives. In this case, you may add these users to the list of Prohibited Logins. You do so by entering their name in the Address field and click “Add”.

To make a “closed” Retain system, simply click on “Disable New Accounts”. If you use this option, it means that you will have to manually create accounts in Retain for authorized users. In other words, the only people who can access your system will be people who you specifically create an account for.

In Retain, user accounts expire after 30 days of inactivity by default. You may choose the number of days or choose 0 for “accounts never expire”.

See “User Rights” for more information.

Password Strength

User-created passwords may be controlled for strength. By default, Retain accepts any password set by users. To require a higher security password, select the higher level desired. Requirements for the low, medium, and high settings are defined as:

Will accept any password

Low: Must be between 5 and 15 characters in length.

Medium: Must be between 5 and 20 characters in length, with at least 1 lower case characters, at least 1 upper case characters and at least 1 numerical characters.

High: Must be between 8 and 20 characters in length, with at least 2 lower case characters, at least 2 upper case characters, at least 2 numerical characters, and at least 2 special characters.. Also, the password will be checked against a dictionary.

Retain supports the use of KeyShield SSO for users.

To use the KeyShield client in coordination with Retain, Retain needs to have an open connection to the KeyShield server, the User ID alias, and the API key. Specify the KeyShield SSO Server URL, Alias, and API key. The Timeout is set in seconds, and may be anything required, 5 is recommended. Test the connection to ensure proper function.

When configured, Retain checks to see if the KeyShield client is running and if the user is currently logged in. If they are logged in, Retain checks the user against the specified KeyShield Server and then either fails authentication and sends users to the login page, or immediately passed them to their interface. The effect is that users who are already logged into the KeyShield client will not be required to login to Retain, but will be immediately taken to their appropriate interface.

Accounts can be locked if multiple failed attempts are detected within a specified window of time. This is useful to deny password cracking attempts on the server.

To enable Intruder Lockout, select the checkbox next to the ‘Enable Intruder Lockout’ option and save the changes. All changes will be immediate as soon as the save button is selected.

If a user has locked their account and requires immediate access to the system, all lockouts may be cleared. To clear any locked accounts, select the ‘clear lock outs’ button at the bottom of the page. There is no need to save changes; the clear command is immediate.