Back to Blog Home
Jul 28, 2025

Stronger Admin Protection with 2-Step Verification in Axigen WebAdmin

Starting with version 10.6.15, we’re adding 2-Step Verification (2FA) for the WebAdmin interface — an extra layer of protection for your mail server administration. This update is designed to keep access secure without getting in the way, whether you’re managing a single environment or running a clustered setup with delegated administrators.

Before You Upgrade

Axigen 10.6.15 includes internal updates to the way we store security-related admin data. If you plan to test the feature and may need to roll back to an earlier version, make sure to back up the serverData folder from your Axigen working directory before upgrading.

What’s Protected

2-Step Verification applies to:

  • All WebAdmin accounts, including the built-in admin and any additional administrator users
  • Interactive sessions, where protection against phishing or brute-force attacks matters most

After enabling 2-Step Verification, each admin will be asked for a verification code from a second source during login.

What’s Not Affected

No changes are made to the following:

  • API endpoints such as /metrics and /data/accounts, which continue using basic authentication
  • The CLI interface, where we recommend restricting access (e.g., via VPN)

For additional protection, we recommend placing API endpoints and WebAdmin behind a reverse proxy — especially if you want to implement IP filtering, access restrictions, or throttling.

How It Works

2-Step Verification is enabled by default, but not mandatory. As an administrator, you can:

  • Set which 2-Step Verification methods are available
  • Make 2-Step Verification required across all admin accounts
  • View, revoke, or reset configured methods per user

You can manage 2-Step Verification settings either in the WebAdmin or via CLI.

Supported Verification Methods

You can choose from three types of second factors:

Authenticator App

  • Uses standard TOTP (Time-based One-Time Password)
  • Compatible with Google Authenticator, Microsoft Authenticator, and YubiKey (via the Yubico Authenticator app)
  • Works offline after setup
  • YubiKey support is based on its ability to generate TOTP codes (not FIDO / WebAuthn)

Email

  • Sends a one-time code to the admin’s configured email address
  • Requires no extra setup
  • Great fallback or option for less technical users

SMS

  • Sends codes via text message
  • Requires an SMS connector (e.g., Twilio)
  • A good choice for mobile-first environments

Managing 2-Step Verification from the CLI

If you prefer scripting or automation, the CLI gives you full control:

  • Enable / disable 2-Step Verification
  • Set allowed methods
  • Customize message templates
  • List or revoke active methods for specific users

Cluster Deployments

In a clustered setup, 2-Step Verification settings and admin accounts are not automatically synced across nodes.

You’ll need to:

  • Configure each admin account separately on the relevant nodes
  • Set up 2-Step Verification for each account on each node it accesses

To keep things simple, we recommend using email or SMS as verification methods in clustered environments — these are not tied to a specific device or instance.

Admin Account Strategy

We support two common use cases when it comes to administrator roles:

Domain-Specific Admins

  • Limited to managing one or more specific domains
  • No server-level permissions
  • Should be configured only on the Backend node(s) that host their domains
  • Ideal for delegated admin access by individual customers or teams

Platform / Service Admins

  • Responsible for server-wide and / or domain-level services
  • Should be configured on all nodes where access is required (frontend and backend)
  • Typically manage SMTP, IMAP, or WebMail at the service level

Example Setup: Multi-Tenant Cluster

Here’s a simplified example:

Nodes:

  • Frontend-SMTP → frontend for SMTP
  • Frontend-Proxy → frontend for IMAP / WebMail
  • Backend-1 to Backend-4 → backend servers

Domain Placement:

  • domain1.tld → hosted on Backend-1
  • domain2.tld → hosted on Backend-2
  • large-domain.tld → distributed across Backend-3 and Backend-4

Admin Accounts:

Admin User

 

Configured On

 

Purpose

 

admin-domain1-tld

Backend-1

Manages domain1.tld

admin-domain2-tld

Backend-2

Manages domain2.tld

admin-large-domain-tld

Backend-3, Backend-4

Manages large-domain.tld

admin-all-domains

Backend-1, Backend-2, Backend-3, Backend-4

Cross-domain management

admin-imap

Frontend-Proxy, all Backend nodes

IMAP service management

admin-smtp

Frontend-SMTP, all Backend nodes

SMTP service management

This approach keeps access clear and aligned with actual responsibilities — improving security and simplifying management.

Get Started

2-Step Verification is available now in Axigen 10.6.15. If you’re already using delegated admin accounts or just want to tighten access, this is the right time to turn it on.

With flexible options and per-account configuration, 2-Step Verification gives you better control — while keeping your admins efficient and productive.

 

security authentication webadmin sms 2-Step Verification
Try Axigen for FREE for 60 days

(full features, no credit card required)

Axigen is a premium, scalable, all-in-one Windows & Linux mail server software. A free mail server version is available for personal and lab use, along with the business mail server and the MSP mail server, for Managed Service Providers, which also include features like personal organizer, groupware, AntiVirus, AntiSpam, or advanced security policies. The carrier-class ISP mail server solution completes the Axigen offering and comes with clustering support, delegated administration, extensive APIs, as well as a cloud-native, Kubernetes based deployment option.

Axigen uses cookies. By using our services, you’re agreeing to our Cookie Policy. GOT IT