Every session starts with clicking the avatar in the top- right of any page and entering an email + password. The hub validates credentials via a dual auth path.
Dual authentication
- Mailcow IMAP first (STARTTLS on port 993). Works for Ancient / Modern / Baron whose
@ancientholdings.eumailbox is active — these accounts authenticate against the real mailbox password. - Hub scrypt fallback — if IMAP returns invalid credentials, the hub looks up
clients.password_hashand verifies viacrypto.scrypt. This is how Operators log in: their Mailcow mailbox is reserved-but-inactive (active=0), so IMAP always rejects; the scrypt hash they set at signup is what validates.
On Mailcow unreachable(network error, not invalid-creds) the login short-circuits to HTTP 503 instead of downgrading to scrypt — a mail-server outage shouldn’t silently flip every admin to the fallback channel.
Single-active-scope
Multiple accounts can be added to the same browser session, but only ONE is in scope at a time (Google-style). Switching scope is a cookie-only flip via POST /api/mail/activate — no re-authentication. The validated email + display name land in an encrypted iron-session cookie.
Public self-signup
When an Ancient Admin has opened public registration, anyone can create an Operator-tier account at /signup. Any email works as the login. If the chosen email ends in @ancientholdings.eu, signup reserves the mailbox name on Mailcow with active=0 (inactive until a future Baron activation).
When registration is closed, /signupreturns a friendly “registration is closed” notice; Ancient Admins can still invite operators manually via /admin/admins.
Welcome line
After login, the hub greets you with the display name on your Mailcow mailbox (when set) plus your email: “Welcome George Popescu (codera@ancientholdings.eu)”. Full name is pulled from the session’s active account.