Security

2FA - Two-factor authentication
Two-factor authentication , or  2FA  as it's commonly abbreviated, adds an extra step to your basic login procedure. Without 2FA, the password is your single factor of authentication: you enter your username and password, then you're done. 

 With 2FA, you log in to the Admin Panel by entering your username and password and the six-digit code provided by an app installed on your smartphone.  

 After the latest update of the Admin Panel, you will be prompted to enter the 2FA code in a new pop-up window. 

 Enable 2FA for the Admin Panel 

 If you're using this Admin account as credentials for the API, the API login will fail after enabling 2FA. To solve this, create a Sub-Admin with special permissions for the API authentication only.  

 What you need: 

 - a smartphone with a 2FA App installed (OTP / 2-Step Verification / 2-Factor Authentication), such as  Authy  or  Google Authenticator . 

 To enable 2FA for your Admin account: 

 

 Log in to the  Admin Panel 

 From the menu, go to  Security  →  2FA 

 Update the dropdown  Select Status  to  Enabled . Click on the  Save  button. 

 

       

 

 Recheck the requirements: have a 2FA App installed on your phone. 

 When ready, click on the  Next  button. 

 

       

 

 Scan the QR code with the installed 2FA App and fill in the generated six-digit code in the  Challenge  input field. 

 Click on the Save button before your token expires. 

 

       

 Disable 2FA for the Admin Panel 

 To disable the 2FA for your Admin account: 

 

 Log in to the  Admin Panel 

 From the menu, go to  Security  →  2FA 

 Update the dropdown  Select Status  to  Disabled . Click on the  Save  button. 

 

       

 

 Insert the token from your 2FA App (such as Authy or Google Authenticator) in the  Challenge  input field. 

 Click on the Save button before the token expires. 

 

       

 

 After you see the confirmation message that the 2FA was disabled, you can delete the entry from your 2FA app.

Restrict Login Access: Admin IP Access Lists
You can increase the security of your account by restricting login access for your Admin (or Sub-Admins) account to a list of know IPs, such as your office, your home, and server IPs for API or WHMCS authentication. 

 This feature works only with static IPs. Make sure your internet provider doesn't use dynamic IP addresses which change over time. 

 Add a new IP to the Access List 

 

 

 Go to the  Admin Panel . 

 

 Log in using your Admin (or Sub-Admin) username and password. 

 Click on  Security  →  Admin IP Access Lists  in the menu. 

 

       

 

 Click on the  New  button. 

 Fill in the IP and a description. 

 Click on the  Add  button to save. 

 

       

 Restrict Admin Login Access to only the IPs in the Access List 

 

 

 Go to the  Admin Panel . 

 

 Log in using your Admin (or Sub-Admin) username and password. 

 Click on  Security  →  Admin IP Access Lists  in the menu. 

 

       

 

 Click on the  Restrict Admin access only to the IPs in list  button. 

 Read the warning and click on the  Restrict  button to confirm. 

 

       

 

 Access is now restricted to the IPs in your list: 

 

       

 Allow unrestricted access for Admin (or Sub-Admin) 

 

 

 Go to the  Admin Panel . 

 

 Log in using your Admin (or Sub-Admin) username and password. 

 Click on  Security  →  Admin IP Access Lists  in the menu. 

 Click on the  Allow unrestricted Admin access  button. 

 

      

Security Incidents
When you log in to the Admin Panel, on the Home page, you might see this warning message: 

 New security incidents detected. Click here to check the Security page. 

 

 This happens when we detect suspicious logins from more than one location for one of your Users. 

 Click on the error message to go to the Security Incidents page and review each case. 

 How to review a Security Incident case 

 To review the security incidents: 

 

 Log in to the  Admin Panel 

 From the menu, go to  Security  →  Security   Incidents ; or click on the error message from the Home page. 

 You will see a list of Users that have triggered the warning. 

 

 

 

 Check how many messages were sent in the last 24 hours and the number of distinct login countries. A higher number might suggest a compromised account. 

 Click on each user to see a list of their Last Logins. Contact the customer if you suspect the account was compromised. 

 

 

 Possible reasons why the User is on the Security Incidents list 

 Compromised account 

 The User's account was compromised and an attacker is sending emails on his behalf or accessing the contents of his emails. This might happen if the User doesn't use a strong password, has malware installed or accessed his account from an insecure location / device and threat actor intercepted their password. 

 Third-party applications 

 Some applications that the User has setup will access the contents of his emails from different servers which will trigger the suspicious login warning.  You should inform the customer that the application has full access to their mailbox and make sure to read their Terms & Conditions about data processing. 

 If the User is comfortable with the app having access to their data, you can follow the steps to  Mark IP as Safe . 

 Some examples of such applications include: 

 

 CRM applications (such as  Hubspot ,  Salesforce , etc.) 

 Sales automation applications  

 Email clients (such as  Outlook ,  MyMail , etc.) that read and process all the User's data through their servers. This includes your password in the clear(!) and all e-mail content 

 

 User is traveling 

 A legitimate case is when the User is traveling and is logging in from new locations. 

 Mobile connection 

 The User is accessing the service using a mobile connection that keeps renewing the IP. 

 Mark IPs as safe 

 In case of legitimate use, the IPs can be marked as safe and will not trigger the Security Incident warning anymore.  

 To mark an IP as safe: 

 

 Log in to the  Admin Panel 

 From the menu, go to  Security  →  Security   Incidents ; or click on the error message from the Home page. 

 Click on the User for which you want to mark an IP as safe. This will take you to his  Last Logins  logs.  

 

 

 

 In the Last Logins logs, you can click on the  Mark as Safe  button next to the IP you want to whitelist. 

 In the new pop-up, give a description to the IP (mandatory) and choose whether you want to mark as safe only the IP or the entire network (with options from /31 to /22) 

 If you wish to whitelist all of Google's IPs, please set the Range to /17 

 If you wish to whitelist all of myMail's IPs, please set the Range to /22 

 

 

 

 Click on the  Mark as Safe  button to save the changes. 

 You can remove an entry anytime.

User Trusted Login IPs
Maintain seamless access for your users while keeping your infrastructure secure . The User Trusted Login IPs feature allows you to whitelist specific IP addresses used by your team or clients, ensuring that legitimate logins from known locations are never interrupted . By marking an IP as "Safe," you prevent future security incident warnings for that specific source, allowing for a smoother user experience without compromising enterprise-grade protection . 

 Manage User Trusted Login IPs 

 To manage the User trusted login IPs for an account: 

 

 Log in to the  Admin Panel 

 From the menu, go to  Security  →  User Trusted Login IPs 

 Select the domain from the dropdown and click on the  Search  button. 

 A list of all trusted IPs that were previously Marked as Safe will show. 

 

 

 

 You can delete an entry at anytime 

 To add a new trusted IP,  follow these steps to mark IP as safe . 

 

   

 Checking and Unblocking IP Addresses 

 If a user is unable to connect, it may be because their IP address has been temporarily restricted due to security protocols. You can check the status of an IP and mark it as "Safe" directly from the management panel. 

 How to Check if an IP is Blocked 

 

 Navigate to the Security → User Trusted Login IPs section in your panel. 

 Enter the specific IP address into the search field. 

 If the IP is restricted: An option to Mark as Safe will appear. 

 

   

 Adding an IP to the Safe List 

 When you choose to mark an IP as safe, a configuration window will open. To ensure the security of the account, please provide the following details: 

 

 Domain & Username : Select the specific domain and user account this rule should apply to. 

 Description (Required) : Provide a brief note (minimum 2 characters) explaining why this IP is trusted, such as the office location or the specific service name. 

 Range : Choose whether to whitelist only the specific Remote IP (/32) or the entire network range.

 

 Single IP (/32): Use this for individual users working from a fixed location, like a home office with a static IP . It is the most secure option because it only whitelists one specific address. 

 IP Range (Network): This is ideal for larger corporate offices where many employees share a single network . Mark the whole network as safe to prevent repeated blocks for different users in the same building. 

 

 

 

 Security Note: Only whitelist an entire range if you are certain the network is private and managed. Whitelisting large public ranges can leave accounts vulnerable to unauthorized access from other users on that same network . 

 Once submitted, logins from this IP will no longer trigger security warnings or connection blocks for that user.