Email Reseller Server

User Manual & Guide

Open this manual while logged in to show role-specific guidance.

Getting Started

What is Email Reseller Server?

Email Reseller Server is a multi-tenant email management system that provides a web-based interface for managing email accounts, reading and sending emails, and administering users and aliases.

Web Mailbox

Read, send, and manage your emails directly from your web browser.

User Management

Administrators can create and manage email users and their settings.

Email Aliases

Create multiple email aliases for each user account.

Secure Access

Secure authentication with role-based permissions.

Logging In

  1. Navigate to your Email Reseller Server URL in your web browser
  2. Enter your email address and password
  3. Click the "Login" button
  4. You'll be redirected to your mailbox or admin dashboard
Tip: If you forget your password, contact your administrator to reset it.

User Roles

There are three types of user roles in the system:

Role Permissions
User Can access mailbox, send/receive emails, change own password
Tenant Admin Can manage users and aliases within their organization
Super Admin Full access to all tenants, users, and system settings

Using the Mailbox

Viewing Your Emails

The mailbox is the main interface where you can read and manage your emails.

To view your inbox:

  1. After logging in, you'll see your inbox automatically
  2. Emails are listed with sender, subject, and date
  3. Click on any email to view its full content
  4. Use the "Refresh Inbox" button to check for new messages

Reading an Email

When you click on an email in your inbox:

  • The email opens in a detailed view
  • You can see the sender, recipients, subject, and full message
  • If the sender is outside your organization, a warning appears above the message
  • If an external sender includes attachments, the warning is stronger so you know to be extra careful before opening them
  • Any attachments will be listed (if available)
  • The email is automatically marked as read
Tip: Click "Back to Inbox" to return to your email list.

Composing and Sending Emails

  1. Click the "Compose" button in your mailbox
  2. Fill in the recipient's email address in the "To" field
  3. Optionally add CC or BCC recipients
  4. Enter a subject line
  5. Type your message in the message body area
  6. Click "Send" to send the email
  7. Click "Cancel" to discard the draft
Note: Make sure all email addresses are properly formatted (e.g., user@example.com).

Email Actions

You can perform several actions on your emails:

Mark as Read/Unread

  • When viewing an email, click "Mark as Unread" to mark it unread
  • Unread emails appear with a different style in your inbox
  • This helps you keep track of which messages need attention

Delete an Email

  • While viewing an email, click the "Delete" button
  • Confirm the deletion when prompted
  • Deleted emails are moved to your Trash folder (if configured)
Warning: Deleted emails may be permanently removed depending on your server configuration. Make sure you want to delete before confirming.

Navigating Folders

Your mailbox may include several folders:

  • INBOX - Where new emails arrive
  • Sent - Emails you've sent (if configured)
  • Trash - Deleted emails (if configured)
  • Other folders - Custom folders created on your email server

Admin Features

If you are a Tenant Admin or Super Admin, you have access to additional management features.

Note: Regular users will not see admin tabs. Contact your administrator if you need admin access.

Managing Users

The Users tab allows administrators to create and manage user accounts.

Viewing Users

  • Click the "Users" tab in the admin panel
  • Super Admins see users across tenants
  • Tenant Admins see regular users in their own tenant only
  • User information includes email, name, role, and status

Adding a New User

  1. Go to the "Users" tab
  2. Click "Add User" button
  3. Fill in the required information:
    • Email - User's login email
    • Password - Initial password for the user. Use Generate to create a strong temporary password.
    • First Name - User's first name
    • Last Name - User's last name
    • Role - Super Admins can assign user, tenant_admin, or super_admin; Tenant Admins can create regular users only
    • IMAP Username - Email account username
    • IMAP Password - Email account password
    • Quota (MB) - Storage limit (optional)
  4. Click "Create User" to save
Tip: Provide generated temporary passwords through a secure channel. Welcome emails do not include passwords.

Welcome Emails

  • The Add User form includes a Send welcome email option that is enabled by default.
  • The email includes the login URL, username, role, feature summary, and the correct manual link for the user's role.
  • The login and manual links come from the server's WELCOME_EMAIL_BASE_URL setting.
  • Regular users receive the user manual link. Tenant Admins and Super Admins receive the full admin manual link.
  • The temporary password is not included in the welcome email. Provide it separately through a secure channel.
  • If the email cannot be sent, the user account is still created and the admin will see a warning.

FreeOTP / MFA Setup

  • Click MFA in the top bar after signing in.
  • Click Set Up FreeOTP.
  • Open FreeOTP and scan the QR code. If you are setting up from the same phone, use the displayed manual secret or setup URI.
  • Enter the current 6-digit code from FreeOTP and click Verify and Enable.
  • After MFA is enabled, the login screen will require both the account password and a current authenticator code.

Resetting Passwords and Roles

  • Super Admins can reset passwords for users and assign roles from the Users table.
  • Tenant Admins can reset passwords for regular users in their own tenant.
  • The reset password modal includes a Generate button for strong temporary passwords.
  • Tenant Admins cannot view, reset, edit, or delete admin users.

Managing User S/MIME Identities

  • Click S/MIME next to a user in the Users table.
  • Paste the user's certificate PEM and matching private key PEM.
  • Enter the private key passphrase only if that key requires one.
  • Click Save User S/MIME Identity.
  • Use Remove User Identity to delete the active S/MIME identity for that user.
Note: Super Admins can manage S/MIME identities for any user. Tenant Admins can manage S/MIME identities only for regular users in their own tenant.

Deleting a User

  1. Find the user in the Users list
  2. Click the "Delete" button next to their name
  3. Confirm the deletion when prompted
Warning: Deleting a user will remove their access to the system. This action cannot be undone.

Managing Email Aliases

Email aliases allow users to receive emails at multiple addresses.

Viewing Aliases

  • Click the "Aliases" tab in the admin panel
  • Super Admins see aliases across tenants
  • Tenant Admins see aliases in their own tenant only
  • Each alias shows the alias email and the user it belongs to

Creating an Alias

  1. Go to the "Aliases" tab
  2. Click "Add Alias" button
  3. Select the user who will receive emails sent to this alias
  4. Enter the alias email address (e.g., sales@yourdomain.com)
  5. Click "Create Alias" to save
Note: Tenant Admins can add aliases for regular users in their own tenant. Super Admins can add aliases across tenants.
Mail server note: The app stores the alias mapping in its database. Your mail server must also route that alias to the mailbox for delivery to work.

Deleting an Alias

  • Find the alias in the Aliases list
  • Click the "Delete" button
  • The alias will be removed from the system

Managing Tenants (Super Admin Only)

Super Admins can create and manage multiple organizations (tenants).

Viewing Tenants

  • Click the "Tenants" tab (only visible to Super Admins)
  • You'll see all organizations in the system

Creating a Tenant

  1. Go to the "Tenants" tab
  2. Click "Add Tenant" button
  3. Fill in tenant information:
    • Name - Organization name
    • Domain - Primary email domain
    • IMAP Host - Select an approved IMAP server from the server allow-list
    • IMAP Port - Usually 993 for SSL
    • SMTP Host - Select an approved SMTP server from the server allow-list
    • SMTP Port - Usually 587 or 465
    • Max Users - User limit (optional)
    • Max Storage - Storage limit in MB (optional)
  4. Click "Create Tenant" to save

Deleting a Tenant

Warning: Deleting a tenant will remove all associated users, aliases, and data. This is a destructive action.
  • Only Super Admins can delete tenants
  • Click "Delete" next to the tenant name
  • Confirm the deletion carefully

Managing Your Account

Changing Your Password

  1. Click on your email address or profile menu
  2. Select "Change Password"
  3. Enter your current password
  4. Enter your new password
  5. Confirm your new password
  6. Click "Change Password" to save
Tip: Use a strong password with a mix of letters, numbers, and special characters.

Logging Out

  • Click the "Logout" button in the top navigation
  • You'll be returned to the login screen
  • Your session will be invalidated for security
Note: Always log out when using a shared computer to protect your privacy.

Session Management

For security reasons:

  • Your session will expire after 7 days of inactivity
  • You'll need to log in again after expiration
  • Changing your password will invalidate all existing sessions

S/MIME Setup

Use S/MIME when you want the webmail interface to cryptographically sign or encrypt mail you send. Before these options can be used, your account identity and any needed recipient certificates must be ready.

Important: S/MIME signing in this app requires a certificate for the same email address as your account, the matching private key, and server-side support from your administrator.

What You Need Before You Start

Required item What it means
S/MIME certificate A PEM-formatted certificate issued for your email address.
Matching private key The PEM-formatted private key that belongs to that certificate.
Optional key passphrase Needed only if your private key is protected with one.
Administrator readiness The server must have S/MIME support configured and OpenSSL available.
Recipient certificate Required for each recipient address when you want to encrypt outbound mail.
Tip: If you do not already have a certificate and private key, ask your administrator or certificate provider for an export that includes both items in PEM form.

How S/MIME Private Keys Are Stored

  • The certificate is stored with the user's S/MIME identity.
  • The private key and optional key passphrase are encrypted before they are stored in the database.
  • The server-side SMIME_MASTER_KEY is required to decrypt private keys when the app signs mail.
  • The API and UI show S/MIME status and certificate metadata, but they do not return stored private key material.
Security note: This deployment keeps SMIME_MASTER_KEY in a root-owned server secret loaded by systemd, outside the application checkout. Protect the application server, database, database backups, and /etc/email-reseller/secrets.env. For higher-assurance deployments, use systemd credentials, Vault/KMS, HSM-backed key storage, or a separate internal signing service.

How To Configure S/MIME

  1. Log in to the webmail interface.
  2. Click the S/MIME button in the top bar.
  3. Check the current status lines in the modal:
    • Status shows whether your identity is already configured.
    • Signing runtime shows whether the server can actually sign mail.
    • Identity details shows the active certificate subject, issuer, and expiry when available.
  4. Paste your certificate into Certificate PEM.
  5. Paste the matching private key into Private Key PEM.
  6. Enter the private key passphrase only if your key requires one.
  7. Click Save S/MIME Identity.

How To Use It When Composing Mail

  1. Open the Compose window.
  2. Confirm that the S/MIME status line says signing is available for your account if you plan to sign the message.
  3. If you want to encrypt the message, open S/MIME Settings and save a recipient certificate for the destination email address first.
  4. Enter the destination address in the To field and confirm the encryption status line says encryption is ready for that exact address.
  5. Enable Sign with S/MIME, Encrypt with recipient certificate, or both.
  6. Send your message normally.
  7. After sending, confirm the success message says the email was signed and/or encrypted with S/MIME.

What The Status Messages Mean

  • S/MIME not configured means no active certificate/private-key pair is stored for your account.
  • S/MIME server encryption key is not configured means the administrator has not finished server-side S/MIME setup.
  • S/MIME identity exists, but signing runtime is unavailable usually means OpenSSL is missing from the server or cannot be used.
  • Certificate expires soon means your current certificate still works but should be rotated before it expires.
  • Add a recipient certificate in S/MIME Settings to enable encrypted mail means the destination address does not yet have a saved certificate for encryption.
  • Encryption is ready for user@example.com means the current To address matches a saved recipient certificate and can be encrypted.

Common S/MIME Setup Problems

  • Certificate email does not match your login: use a certificate issued for the same mailbox address you use in the app.
  • Certificate and key do not match: export the correct pair from the same certificate bundle.
  • Expired or not-yet-valid certificate: replace it with a currently valid certificate.
  • Save button disabled: the administrator still needs to configure the server-side `SMIME_MASTER_KEY` setting.
  • Signing checkbox disabled in Compose: either your identity is missing, the server runtime is unavailable, or the current certificate is not usable.
  • Encryption checkbox disabled in Compose: either no recipient certificate has been saved for the address you want to mail, or the server runtime is unavailable.
Warning: Do not paste another user's private key into your account. The certificate email address must match the current mailbox identity.

Anti-virus Scanning

The app can use a ClamAV-compatible scanner to check outbound webmail content and attachments before SMTP delivery.

What Gets Scanned

  • Message subject and body text are scanned before sending.
  • Outbound attachments are decoded and scanned before sending.
  • If a threat is found, the send is blocked and the result is recorded.
  • If the scanner cannot check a message, the system may stop the send for safety. If that happens, try again later or contact your administrator.

Admin Reporting

  • Open Admin Panel, then click Security.
  • The scanner runtime card shows whether scanning is enabled, the scanner target, fail-closed mode, and last health check times.
  • The self-test table shows recent clean and EICAR scanner tests.
  • The domain statistics table rolls up clean, infected, and unavailable scans by sender domain.
  • The user and domain breakdown shows the same counts per sender user and domain so tenant admins can identify the affected mailbox.
  • The recent domain issues table shows infected or scanner-unavailable events with sender, type, item, and detail fields.
  • The attachment scan table shows recent outbound attachment scans and infected detections.

Self-Tests

  • Run Clean Test scans a harmless payload and should return clean when the scanner is healthy.
  • Run EICAR Test scans the standard antivirus test string and should return infected when the scanner is healthy.
  • Only Super Admins can run self-tests. Tenant Admins can view scanner status, same-tenant domain statistics, and same-tenant attachment scan history.
Note: Anti-virus scanning requires server-side ClamAV or another ClamAV-compatible daemon. If scanning is disabled, the Security tab will report that state and outbound mail will send without scanner enforcement.

Secure Backups

Super Admins and operators should use the secure backup script for production disaster recovery. The older database-only backup is not enough to restore S/MIME private-key access, MFA secrets, DKIM signing keys, Dovecot users, or mail-stack configuration.

What The Secure Backup Includes

  • PostgreSQL database dump
  • Application environment file
  • Root-owned S/MIME and MFA secret file
  • Dovecot passdb files and mail-stack configuration
  • Postfix, Dovecot, OpenDKIM, nginx, systemd, and TLS configuration when present
  • Optional Maildir mailbox contents when the operator runs the script with --include-maildirs

Run A Manual Secure Backup

cd /home/jason/email-servers/emailresellerserver bash scripts/secure_backup.sh

The script prompts for an encryption passphrase when run interactively. Store that passphrase outside the mail server. If the server is lost, the encrypted backup is not recoverable without that passphrase.

Use A Root-Owned Passphrase File

BACKUP_PASSPHRASE_FILE=/etc/email-reseller/backup-passphrase \ bash scripts/secure_backup.sh

Run Before A Deployment

SECURE_BACKUP_BEFORE_DEPLOY=true \ BACKUP_PASSPHRASE_FILE=/etc/email-reseller/backup-passphrase \ bash prodextract.sh
Security note: Encrypted backup files protect the database, S/MIME keys, MFA secrets, DKIM keys, and mail configuration at rest. Keep the backup archive and passphrase in separate protected locations, preferably off the mail server.

Personal And Tenant Archives

Mailbox archives are separate from full server backups. They are intended for users and tenants who want older mail moved out of active server storage after a retention period such as 30 days.

Archive Key Ownership

  • User-created archives use a per-user archive encryption key.
  • Tenant-created archives use a per-tenant archive encryption key.
  • User archive keys are not shared with other users in the tenant.
  • Tenant archive keys are for tenant-admin managed archives and policy-based tenant exports.
  • Archive key material is encrypted before database storage and is not shown in the web interface.

30-Day Hygiene Policy

  • Archive jobs should export messages older than the tenant policy cutoff.
  • Messages should be deleted from the active mailbox only after archive creation, encryption, upload, and checksum verification succeed.
  • If archive delivery fails, messages should remain on the server and the tenant admin should review the failure.

How Users Open Archives

Use the Archives view to select archive preferences, create direct-download archives, and download completed archives.

  • Users can select their personal archive format, destination type, retention cutoff, and whether personal auto-archive should be enabled.
  • Tenant Admins can select tenant archive policy defaults for their tenant.
  • Super Admins can manage tenant archive policies, but full server secure backups still remain operator-only.
  • User-created archives should be decrypted only for that signed-in user and delivered as a standard mailbox archive.
  • Tenant-created archives should be decrypted only for authorized tenant admins or restored through a tenant-admin workflow.
  • .mbox files are the best default for mailbox imports into Thunderbird, Apple Mail, and other mail clients.
  • Zipped .eml files are useful when users want individual message files they can open one at a time.
  • Raw encrypted server archives should not be handed directly to users unless they also control the matching key and passphrase.
  • Messages are deleted from the active mailbox only when the delete-after-archive option is selected and only after the archive is written and checksummed.

Archive Import Guidance

  • Thunderbird: import `.mbox` into Local Folders, or extract zipped `.eml` files and drag them into a local folder.
  • Apple Mail: choose File > Import Mailboxes, select mbox format, and choose the downloaded `.mbox` file.
  • Users should keep downloaded archives on encrypted storage and delete local copies when they are no longer needed.

Tips & Tricks

Keyboard Shortcuts

Keyboard shortcuts are not currently implemented. Use the visible Compose, Refresh, Cancel, and close buttons.

Best Practices

Email Organization

  • Regularly delete or archive old emails to save space
  • Mark important emails as unread until you've dealt with them
  • Use clear subject lines when sending emails

Security Tips

  • Never share your password with anyone
  • Change your password periodically
  • Log out when using public or shared computers
  • Be cautious of suspicious emails and links
  • Don't click on attachments from unknown senders

For Administrators

  • Assign appropriate roles to users (don't give everyone admin access)
  • Regularly review user accounts and remove inactive ones
  • Keep IMAP/SMTP credentials secure
  • Set reasonable quota limits to manage storage

Performance Tips

  • Limit the number of emails loaded at once for faster performance
  • Refresh your inbox periodically instead of continuously
  • Delete unnecessary emails to reduce server load

Troubleshooting

Common Issues

Can't Log In

Possible causes:

  • Incorrect email or password - Double-check your credentials
  • Account disabled - Contact your administrator
  • Session expired - Try logging in again

Solution: Reset your password by contacting your administrator.

Emails Not Loading

Possible causes:

  • IMAP connection issue - Check with administrator
  • Incorrect IMAP credentials - Verify your settings
  • Network connectivity problem - Check your internet connection

Solution: Click "Refresh Inbox" or contact your administrator if the problem persists.

Can't Send Emails

Possible causes:

  • SMTP server issue - Check server status
  • Invalid recipient email - Verify email addresses
  • Quota exceeded - Check your storage limit

Solution: Verify recipient addresses and try again. Contact administrator if issues continue.

Compose Button Not Working

Solution:

  • Refresh the page (F5 or Ctrl+R)
  • Clear your browser cache
  • Try a different browser

Admin Features Not Visible

Possible causes:

  • You don't have admin permissions
  • You're logged in as a regular user

Solution: Contact your Super Admin to request appropriate permissions.

Getting Help

If you encounter an issue not covered here:

  1. Note any error messages you see
  2. Try refreshing the page or logging out and back in
  3. Clear your browser cache and cookies
  4. Try using a different web browser
  5. Contact your system administrator with details about the problem
Tip: When reporting issues, include:
  • What you were trying to do
  • What happened instead
  • Any error messages you saw
  • Your browser and operating system

How to Find Your Browser and Operating System

  1. Open the browser menu. It is usually the three dots, three lines, or the browser name in the top menu.
  2. Choose Help or About. Examples: About Google Chrome, About Firefox, About Microsoft Edge, or About Safari.
  3. Copy the browser name and version shown on that screen.
  4. Find your operating system:
    • Windows: Press Windows key + R, type winver, and press Enter.
    • Mac: Open the Apple menu and choose About This Mac.
    • iPhone or iPad: Open Settings, then General, then About.
    • Android: Open Settings, then About phone or About tablet.
  5. Send the browser name/version and operating system name/version with your support request.

Browser Compatibility

Email Reseller Server works best with modern browsers:

  • Google Chrome (latest version)
  • Mozilla Firefox (latest version)
  • Microsoft Edge (latest version)
  • Safari (latest version)
Note: Internet Explorer is not supported. Please use a modern browser for the best experience.
← Back to App