User Guide

• Account Settings
• Mail Filters
• Message History
• My App Passwords
• Notification Settings
• Personal Signature
• Sender Filters
• Set Up Your Devices
• Shared Folders
• Vacation Auto-Reply
• Webmail & Apps

Account Settings

Account Settings

This is the page where you change your password, set up a recovery email, pick your timezone, and turn two-factor authentication on or off.

The short version

Account Settings is the home for the things that protect your account and shape how the portal works for you. Most people visit it once when they first sign in — to enable 2FA, set a recovery email, and pick a timezone — and rarely again after that.

There are up to four cards on this page:

• Change Password — pick a new password for your account (if your password is managed here).
• Two-Factor Authentication — turn on the second sign-in check (a code from an app on your phone, a security key, or a Duo push) so that someone who knows your password still can't sign in without your second factor.
• Recovery Email — set a backup email address you can use to reset your password if you ever forget it.
• Timezone — tell the system which timezone you're in so that times in the portal and in your vacation auto-reply make sense to you.

Some of these only appear under certain conditions. For example, if your password is handled by your company's main login system, the Change Password card is replaced with a short note telling you so. The rest of this page explains each card in turn.

Changing your password

If you see a Change Password card with three fields and a Change Password button, your password is managed by Hermes. To change it:

1. Type your current password into the Existing Password field.
2. Type your new password into the New Password field. It must be between 8 and 64 characters long.
3. Leave Check against haveibeenpwned.com set to YES unless you have a specific reason not to. (It quickly checks whether your proposed new password has shown up in a known public data breach. If it has, you'll be asked to pick a different one. The check uses an anonymized fingerprint of your password and does not send the actual password anywhere.)
4. Click Change Password.

You can click the small eye icon next to either password field to make the text visible while you type, which is useful when you want to be sure you didn't fat-finger it.

Once the password is changed successfully, you'll see a green confirmation banner. Use the new password the next time you sign in.

"I don't see a Change Password section."

If the card shows a note like "Your account uses Remote Authentication. Password changes must be made through your organization's directory service", your password is not stored in Hermes. It's stored in your company's main login system (often Active Directory or a similar directory service). Ask your IT team how to change your password there — once you do, the new password will work for signing in here too.

Your recovery email

The Recovery Email card lets you register a backup email address. This is not your main email address on this system — it's an outside address, like a personal Gmail, Yahoo, or Outlook account, that you can get to even if you're locked out of Hermes.

You'd use it if:

• You forget your password and need to reset it yourself, instead of waiting on an administrator.
• You lose access to your two-factor authentication device and need an emergency way back in.

To set one up:

1. Type your outside email address into the Recovery Email Address field.
2. Click Save Recovery Email.
3. Hermes sends a short verification email to that address. Open it and click the link inside.
4. Come back to this page — the address should now show a green Verified badge.

Until you click that link, the address shows a yellow Not Verified badge and won't actually work for password recovery. If you didn't get the verification email or accidentally deleted it, click Resend Verification Email to send a fresh one. (Check your spam folder too.)

To change the recovery email later, type a new address into the update form and submit it — Hermes will send a verification email to the new address, and the old one stays in place until the new one is verified. To remove it entirely, scroll to the bottom of the card and click Remove Recovery Email.

A couple of important rules:

• The address has to be on an external mail provider. You cannot use an address on a domain that Hermes itself handles — that would defeat the purpose, since if you're locked out you'd be locked out of the recovery address too.
• If you don't set a recovery email, that's okay — but if you ever forget your password, you'll have to ask an administrator to reset it for you.

This card only appears if your password is managed by Hermes. If you sign in through your company's directory service, password recovery happens there, not here.

Your timezone

Your timezone affects:

• Times shown in the portal (when messages were quarantined, when notifications were sent, and so on).
• Vacation auto-reply scheduling. When you set a start and end date for an auto-reply, those times are interpreted as wall-clock times in your timezone. If you say "end at 6:00 PM" and your timezone is America/New_York, the auto-reply stops at 6:00 PM Eastern, not 6:00 PM UTC.

To change it, pick a timezone from the dropdown — you can start typing to filter the list, since there are several hundred — and click Save Timezone. The current timezone is shown just below the dropdown so you can confirm what it's set to.

One warning about vacation auto-reply

If you already have a vacation auto-reply enabled with a start and end time, changing your timezone will pop up a confirmation box explaining what happens: the wall-clock numbers (like "6:00 PM") stay the same, but they'll now be evaluated in your new timezone. So if you change from America/New_York to Europe/London, "6:00 PM" suddenly means 6:00 PM London time instead of 6:00 PM New York time — five hours earlier in absolute terms. The dialog lets you confirm or back out.

If you're not sure, leave the timezone alone and adjust the vacation auto-reply dates separately on the Vacation Auto-Reply page.

Two-factor authentication

Two-factor authentication (2FA, sometimes called multi-factor authentication or MFA) is an extra check on top of your password. The idea is simple: when you sign in, you type your password as usual, and then you have to do one more thing — type a code from an app on your phone, tap a notification, or touch a security key. That way, even if someone steals your password, they still can't sign in without your phone or your key.

This is the single most effective thing you can do to protect your account, and it takes about five minutes to set up the first time.

What about my email apps on my phone or laptop?

A quick clarification before we get into setup, because this confuses everyone the first time:

2FA only protects your web sign-in — the User Console and Webmail in your browser. It does not affect the email, calendar, or contacts apps on your phone, tablet, or desktop. Those apps use a separate thing called an app password, managed under the My App Passwords entry in the sidebar. So when you enable 2FA, your phone's Mail app will keep working — it doesn't suddenly start asking you for a code.

If you've never set up an app password, you may need to do that too, but that's a separate page with its own documentation.

What 2FA methods are available

Hermes supports three different second-factor methods. You can pick whichever one you like during the enrollment flow:

• TOTP (Time-based One-Time Password) — a six-digit code that refreshes every 30 seconds in an authenticator app on your phone. Works with Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, and most other authenticator apps. This is the most common choice and the easiest to start with.
• WebAuthn — a hardware security key (like a YubiKey) plugged into your computer's USB port, or a built-in authenticator (Touch ID on a Mac, Windows Hello on Windows, the fingerprint sensor on your laptop). Very secure, but you need either the hardware or a device that supports a built-in biometric.
• Duo Push — a tap-to-approve notification from the Duo Mobile app. Only available if your administrator has Duo Security set up; if it's not listed during enrollment, you don't have it.

If you've never set up 2FA on any service before, TOTP is the easiest place to start.

Setting up TOTP step by step

1. Install an authenticator app on your phone if you don't already have one — Google Authenticator, Microsoft Authenticator, and Authy are all free.
2. On this page, in the Two-Factor Authentication card, click Enable 2FA. (If you're a mailbox user, the page recommends opening Webmail in another browser tab first — you'll need it in a minute to read a verification email.)
3. The system signs you out and sends you back to the sign-in page. Sign in again with your password.
4. After signing in, you're walked through registering a device. Click Register your first device and pick One-Time Password.
5. A verification email is sent to your mailbox to confirm it's really you. Open it (in your Webmail tab) and click the link inside.
6. A QR code appears on the screen. Open your authenticator app, tap the "+" or "Add account" button, point your phone's camera at the QR code, and the app captures it.
7. The app now starts showing a 6-digit code that changes every 30 seconds. Type the current code into the field on the website and submit.

You're done. From now on, every time you sign in to the portal, after typing your password you'll be asked for the current code from the app.

Backup codes

When you register a TOTP device, the enrollment screen may also offer you a set of one-time backup codes — short codes you can use to sign in if you ever lose your phone. Save these somewhere safe (a password manager, or printed and stored in a drawer). Each one works exactly once. Without backup codes (or a second registered device, or your recovery email), losing your phone means asking an administrator to reset your 2FA.

"I lost my phone. How do I get back in?"

In order of preference:

1. Use a backup code at the 2FA prompt, if you saved any.
2. Use a second registered device if you registered more than one (for example, a security key as well as an authenticator app).
3. Use your recovery email — if you set one up under the Recovery Email card above, you can use it to start a password reset flow that also resets your 2FA.
4. Contact an administrator. They can clear your registered devices so you can enroll a new one. This is the slowest option, which is why setting up backup codes and a recovery email matters.

"Required by your administrator"

If you see a small yellow Required by your administrator badge next to your 2FA status, your organization requires 2FA on your account and you can't turn it off from this page. The Disable button is greyed out. If you need to swap out a registered device (for example, you got a new phone and want to re-register TOTP on it), contact your administrator — they can clear your existing device so you can enroll a new one.

If 2FA is required and you haven't enabled it yet, the page shows a yellow Action required box with a step-by-step walkthrough. Follow it — the rest of the portal may be locked down to this page and a few others until you finish enrolling.

Frequently asked questions

My password change keeps failing with "The Existing Password you entered is incorrect" — but I'm sure it's right. Double-check for typos using the eye icon to make the text visible. If it really is the right password and it's still failing, your account may be in an odd state — contact an administrator. (If you're certain you've forgotten it, use the Forgot Password link on the sign-in page; that uses your recovery email if you set one.)

Can my password contain spaces or special characters? Yes. Any printable character is allowed. The only rule is the length: 8 to 64 characters.

Why does it say "previously appeared in a data breach"? The HIBP check (Have I Been Pwned) compares an anonymized fingerprint of your proposed password against a public database of passwords that have been exposed in past breaches. If it matches, the password is publicly known and attackers have it on their wordlists — even if it's not specifically associated with you. Pick a different one. Random or passphrase-style passwords nearly always pass.

I set up 2FA but my email app on my phone stopped working. 2FA shouldn't affect mail apps — they use app passwords, not your main password. If your mail app stopped working around the same time you enabled 2FA, it's almost certainly that the app was using your main password and now needs an app password instead. Visit My App Passwords in the sidebar.

Why does the page tell me to open Webmail in a new tab before enabling 2FA? During 2FA enrollment, Authelia sends a verification email to your mailbox to confirm it's really you. If 2FA isn't set up yet, you're stuck in a chicken-and-egg situation — you can't sign in to Webmail to read the email because 2FA is mid-enrollment. Opening Webmail in a separate tab before you click Enable means that tab stays signed in and you can still read the verification email from there.

Do I have to re-do 2FA every time I sign in? You'll be asked for your second factor on each new sign-in, yes. Many browsers and devices give you an option during sign-in to "remember this device" for a period of time, which skips the second factor on that specific device until the remember-me window expires.

The Recovery Email field won't accept my work email. The recovery email has to be on a mail provider that's not handled by this system. The whole point is that it should still work if you're locked out of Hermes. Use a personal Gmail, Yahoo, Outlook, or similar address.

I don't see a Timezone card. Like the Recovery Email card, Timezone only appears if your password is managed by Hermes. If you sign in through your company's directory service, timezone preferences for this portal aren't currently offered — talk to your administrator if dates and times are showing in an inconvenient timezone for you.

Can my administrator see my recovery email or my 2FA devices? Your administrator can see whether you have a recovery email set and whether 2FA is enabled, and they can clear (but not see) your registered 2FA devices. They cannot see your password. They generally do not need to look at this information unless you ask them to help you with account recovery.

Where to next

• Manage app passwords for your phone, tablet, and desktop email apps — see My App Passwords
• Turn quarantine notification emails on or off — see Notification Settings
• Set up a vacation auto-reply (now that your timezone is correct) — see Vacation Auto-Reply

Mail Filters

Mail Filters

This is where you build rules that automatically sort, mark, forward, or delete your incoming mail as it arrives.

The short version

Mail Filters are personal rules that act on every new message that lands in your mailbox. You write a rule like "if the Subject contains the word newsletter, move it to my Newsletters folder" once, and from then on Hermes does it for you on every matching message that comes in.

This page is not the same as Sender Filters. The two pages sound similar and they're both about taming your inbox, but they do different jobs at different points in the pipeline:

• Sender Filters tell the spam engine whether to accept or reject mail from a specific sender in the first place. The effect is on the spam decision.
• Mail Filters (this page) decide what to do with a message after Hermes has already decided to deliver it — file it in a folder, mark it as read, forward a copy, drop it on the floor. The effect is on the layout of your mailbox.

You'll often use both pages together, but for different problems. The next section makes the difference more explicit.

Mail Filters vs Sender Filters

	Sender Filters	Mail Filters (this page)
What it controls	Whether the spam engine accepts the message at all	What happens to a message that has already been accepted
When it runs	Before the message reaches your mailbox	After the message has reached your mailbox
What it can do	Allow a sender (skip spam check) or block a sender (silently drop)	Move to folder, mark as read, forward a copy, delete silently
What it matches on	The sender's address or domain	The Subject, From, To, Cc, Bcc, or message size
Acts on quarantined mail?	Yes — that's the whole point	No — quarantined mail never reaches the filter
Typical use	"Stop quarantining this newsletter." / "I never want to see this sender again."	"File all newsletters in a Newsletters folder." / "Mark mail from my manager as important."

Rule of thumb: if you want a message to arrive when it currently doesn't (or to not arrive when it currently does), that's Sender Filters. If the message does arrive but you want it to land somewhere other than the inbox, that's Mail Filters.

What the page shows

At the top is an Add Filter button and an informational note that reminds you how filters work.

Below that is the My Mail Filters card. If you haven't created any filters yet, you'll see a short message inviting you to click Add Filter. Once you have one or more filters, you'll see a table with one row per filter:

Column	What it shows
Actions	A row of buttons: Move Up / Move Down (change the filter's position in the list), Toggle (turn the filter on or off without deleting it), Edit (open the filter to change it), Delete (remove it).
Filter Name	The label you gave the filter when you created it.
Match	ALL if every condition has to match, ANY if just one condition has to match.
Conditions	A plain-English summary of the conditions in the filter.
Actions	A summary of what the filter does — Move to, Mark read, Redirect to, Delete.
Status	Active (the filter is running) or Disabled (the filter is set up but turned off).

Creating a rule

1. Click Add Filter at the top of the page. A large dialog opens.

2. In the Filter Name field, give the filter a short label that will remind you later what it does — for example, Newsletters to folder or Manager to Important.

3. In Match Type, pick either:

   • Match ALL conditions (AND) — every condition has to match before the filter fires. Use this when you want to be specific (for example, From contains "@example.com" AND Subject contains "Invoice").
   • Match ANY condition (OR) — the filter fires as soon as one condition matches. Use this when you want a wider net (for example, From contains "alice@" OR From contains "bob@").

4. Under IF (Conditions), set up one or more conditions. Each condition has a Field, a Match operator, and a Value. Click Add Condition to add more rows, or the red × button to remove one.

   The available fields are:

   • Subject — the message's subject line
   • From — the sender's address (the one you see in your inbox)
   • To — who the message was addressed to
   • Cc — who was copied
   • Bcc — who was blind-copied (see the warning below)
   • Size — how big the message is

   For text fields (Subject, From, To, Cc, Bcc), the match operators are Contains, Equals (case-insensitive), and Does not contain. For Size, the operators are Is over and Is under, and the value is a number optionally followed by K, M, or G — for example, 10M for ten megabytes.

   A note about Bcc: mail servers usually strip the Bcc header off a message before delivering it, because hiding the Bcc recipients is the whole point of Bcc. A filter matching on Bcc almost never fires in practice. It's listed for completeness but you should not rely on it.

5. Under THEN (Actions), set up one or more actions. Each action has an Action type and (depending on the action) a value. Click Add Action to add more, or the red × to remove one.

   The available actions are:

   • Move to folder — file the message into a folder in your mailbox instead of leaving it in the inbox. Pick an existing folder from the dropdown or type a new folder name to create it. Use / to nest folders, like Work/Projects.
   • Mark as read — keep the message but flag it as already-read, so it doesn't add to your unread count.
   • Redirect to address — send a copy of the message on to another address. The address must be a mailbox in your own domain — external redirects are not allowed.
   • Delete silently — drop the message. No notification, no copy in Trash, no way to get it back. This one asks you to confirm before saving.

6. Click Save Filter. The dialog closes and the new filter appears at the bottom of the list.

Editing or removing a rule

To edit a rule, click the blue pencil button in its row. The same dialog opens, pre-filled with the rule as it stands. Make your changes and click Save Filter.

To turn a rule off temporarily without deleting it, click the green toggle button in the rule's row. The badge in the Status column changes from Active to Disabled, and the rule stops firing on new mail. Click the toggle again to switch it back on.

To delete a rule, click the red trash button. A confirmation dialog appears showing the rule's name; click Delete Filter to remove it permanently or Cancel to back out.

To change the order rules run in, use the up- and down-arrow buttons in the leftmost column. Each click moves the rule one position. Order matters — see the next section.

How rules are evaluated

Every new message that lands in your mailbox is checked against your rule list, in order, from top to bottom. Each enabled rule runs in turn, and the actions of any rule whose conditions match are applied to the message.

This means:

• A message can be matched by more than one rule. For example, a message from your manager about a project could match both Manager to Important (mark as read) and Project mail to Project folder (move to a folder). Both actions happen.
• The order matters when the actions interact. If one rule moves a message to a folder and a later rule deletes it, the move-then-delete order applies — the message ends up deleted. Reorder rules so the most important action runs at the position you expect.
• Disabled rules are skipped entirely. A disabled rule is as if it didn't exist for that message.

If you've added a rule and it doesn't seem to be doing anything, the most common causes are: the rule is disabled, the rule's conditions don't actually match (typos in the value, wrong field), or an earlier rule has already deleted or moved the message somewhere you weren't looking for it.

Common scenarios

File all newsletters from a particular sender into a folder. Add a filter named Newsletters. One condition: From contains @newsletter.example.com. One action: Move to folder Newsletters. Match type: ALL.

Flag mail from your manager as already-read so it doesn't clutter your unread count. Add a filter named Manager. One condition: From is exactly manager@example.com. One action: Mark as read. Match type: ALL. (Most people would not actually want this — but it's a good illustration of the Mark as read action.)

Forward a copy of all project alias mail to a colleague. Add a filter named Project alias to Bob. One condition: To contains project@. One action: Redirect to address bob@example.com. Match type: ALL. Note that the target has to be a mailbox in your own domain.

Auto-delete a noisy alerts list you can't unsubscribe from. First, consider whether Sender Filters is a better fit — a block on that sender there will drop the mail before it ever reaches your mailbox. If you need it here for some reason: add a filter named Drop alerts. One condition: From contains alerts@noisysystem.example.com. One action: Delete silently. Match type: ALL. Be sure: deleted messages can't be recovered.

Move large messages to a separate folder so they don't clog your inbox. Add a filter named Large messages. One condition: Size is over 10M. One action: Move to folder Large. Match type: ALL.

Match either of two senders. Add a filter with two From conditions and set the match type to Match ANY condition (OR).

Things this page does NOT do

A few important limits:

• Filters do not act on quarantined mail. If a message is held in quarantine because the spam engine flagged it, your filters never see it. Use Sender Filters or release the message manually from Message History.
• Filters only act on new arrivals. Mail that's already sitting in your inbox is not retroactively re-filtered when you add a new rule. Only mail that arrives after you save the rule is affected.
• Deleting a rule does not undo its past effects. If a rule has been moving messages to a folder for a month and you delete the rule, those messages stay where they were moved. The rule just stops acting on new arrivals.
• Filters only act on incoming mail. They do not touch mail you send.
• Redirects must stay within your domain. You cannot redirect to a personal Gmail or any other external address.

Frequently asked questions

My rule isn't firing. Why not? Check, in order: is the rule Active (not Disabled)? Does the Value exactly match what's in the real message — including spelling, spacing, and the right field (a sender's name is in From, not To)? Is an earlier rule in the list already moving or deleting the message before this one gets a chance? Send yourself a test message that should match and see what happens.

Two of my rules match the same message. Which one wins? Both. Each enabled rule that matches is applied, in top-to-bottom order. The final state of the message reflects all of them. If two rules conflict (one moves to Folder A, another moves to Folder B), the last one to run takes effect — so the order in your list matters.

Can I turn a rule off for a while without deleting it? Yes. Click the toggle button in its row. The badge changes to Disabled and the rule is skipped until you toggle it back on.

If a rule redirects a message, do I still get a copy? Yes. A redirect sends a copy on to the other address; the original still lands in your mailbox where your other rules can act on it.

Does the redirect action work with my Vacation Auto-Reply? They're independent. Vacation Auto-Reply still triggers on the original delivery to your mailbox; the redirect just sends a separate copy onward.

Can I match on a field that isn't in the list — like a custom header? Not from this page. The available fields are Subject, From, To, Cc, Bcc, and Size. If you need something more advanced, talk to your administrator.

My rule's value is showing up wrong in the summary column. The summary shows what's stored. If it doesn't look right, open the rule with the pencil button and check the Value field — what you see in Edit is the truth.

Can my administrator see my rules? They can see them in the underlying system, but day-to-day they aren't managed by anyone but you. If a rule isn't behaving the way you expect, you can ask an administrator to take a look.

I picked Delete silently and now I'm worried I'll lose mail I wanted. You can. That action drops the message with no copy kept anywhere. If you have any doubt at all, use Move to folder to a folder called something like _Maybe Spam instead — you can review the folder occasionally and delete from there.

Is there a daily summary or limit on how many rules I can have? There's no daily summary. There's no specific count limit you'll run into in normal use, but a long list of rules can get hard to keep track of — periodically review your list and delete or disable rules you no longer need.

Where to next

• Sender Filters — different page, different purpose. Use Sender Filters when you want to change whether a message arrives at all; use Mail Filters when you want to change where it goes once it has.
• Vacation Auto-Reply — for setting an automatic reply while you're away, on a separate page.
• Account Settings — for your password, recovery email, timezone, and two-factor authentication.

Message History

Message History

This is where you find messages Hermes has handled for you — including ones it put in quarantine, ones it delivered, and ones it blocked.

The short version

Hermes keeps a record of every message it has processed for your mailbox. Message History is the page where you can look through that record, find a specific message, see what Hermes did with it, and take action on it.

The most common reason to come here is to release a message from quarantine that you actually wanted. Maybe an order confirmation got held back, or a newsletter you subscribed to keeps getting flagged. You find it in the list, tick the checkbox, and tell Hermes to deliver it.

If you have Quarantine Notifications turned on (see Notification Settings), you usually don't need to visit this page at all — you can release a quarantined message directly from the notification email, with one click. Message History is here for the times when you didn't get a notification, deleted it by mistake, or want to look through a batch of messages all at once.

What the page shows

The page is split into two cards.

Search Messages is at the top. It lets you choose the time window and how many results to bring back. You'll see:

• Start Date/Time and End Date/Time — the window to search. The default is the last 24 hours. Click the calendar icon next to either field to pick a date and time visually.
• Search Results Limit — how many messages to load. The default is 1000, with options up to 15000. A higher number takes longer to load, so only raise it if 1000 isn't enough to find what you're looking for.
• Fetch Messages — runs the search and refreshes the table below.

Message History is the results table. Each row is one message Hermes processed for you, sorted with the newest at the top:

Column	What it shows
(checkbox)	Tick this to select the row for a bulk action. The header checkbox selects every row.
View	A magnifying-glass button that opens the message so you can see its contents and headers.
Archived	Y if the message has been moved to long-term archive storage, N if it's still in the active quarantine area.
Date/Time	When Hermes processed the message.
Sender IP	The IP address that the message came from.
Return-Path	The technical "envelope" address the sender's mail server used. Sometimes different from the From address.
From	The From address as you'd see it in your inbox.
To	The recipient address — usually you, or one of your domain's addresses if you're a catch-all recipient.
Subject	The subject line of the message.
Score	The spam score Hermes calculated. Higher means more suspicious.
Type	A short description of what Hermes classified the message as — Clean, Spam, Banned (had a forbidden attachment), Infected (virus), and so on.
Action	What Hermes did with it: Delivered (sent to your inbox), Blocked (held in quarantine or rejected), or N/A if the status doesn't fit either bucket.

Above the table you'll see a row of export buttons (Copy, CSV, Excel, PDF, Print), a Search box that filters the rows you're already showing, and a page-size picker (50, 75, 100, or all). Those tools work on whatever the search has already loaded — they don't go back to the database.

If no messages match your date range, the table is replaced with a small info note saying so.

Releasing a message from quarantine

There are three different ways to release a message, depending on what you have in front of you.

From the notification email (easiest). If quarantine notifications are turned on, each notification has a Release Message button. Click it and the message is delivered to your inbox. You don't have to log in, and you don't need to come to this page at all.

One message at a time from this page. Find the row, tick its checkbox, click Message Actions, pick Release Message(s) to Mailbox from the dropdown, and click Submit. The message is delivered to your inbox within a minute or two.

Several messages at once. Tick the checkboxes for every message you want to release (or tick the header checkbox to select them all), click Message Actions, pick Release Message(s) to Mailbox, and submit. Hermes releases each selected message in turn and shows a green summary listing the ones it released.

Released messages arrive in your inbox just like any other email. There's no way to "un-release" a message — if you release something by mistake, just delete it from your inbox.

Looking at a message before releasing it

If you're not sure whether a message is really legitimate, click the magnifying-glass button in the View column. That opens the message itself so you can see what's in it before deciding.

The view page shows you:

• The subject, From address, Return-Path, To address, CC, and the date and time.
• The body of the message, as HTML if it has one, or as plain text in a textbox.
• The full message Headers in a textbox at the bottom — useful if you want to verify where the message actually came from.

Buttons at the top let you go back to Message History, print the message, and (if your administrator has enabled it) download the raw message as a file.

Viewing a message does not release it — it just lets you read it. To get the message into your inbox after viewing, go back to Message History, tick its checkbox, and use the Release Message action as described above.

Searching and filtering

The Search box above the table filters the rows that are already loaded. Type any part of an address, subject, or other field and the table narrows down as you type. Clear the box to see everything again.

To search a different time window — say, last week instead of the last 24 hours — change the Start Date/Time and End Date/Time in the top card and click Fetch Messages. That re-runs the underlying query against the database.

If you're hunting for a specific message and you know roughly when it should have arrived, set the date range tightly around that time and keep the limit at 1000. That's faster and easier than loading the maximum.

What you CAN'T do from this page

A few honest limitations:

• Messages from blocked senders don't appear here. If you've added a sender to your Block list under Sender Filters, their messages are silently dropped — they never get logged for your mailbox. Message History will not show them.
• You can't re-quarantine a message that's already been delivered. Once a message lands in your inbox, this page doesn't take it back. Use your mail client's normal tools (delete, mark as spam) instead.
• You can't recover messages older than the retention window. Quarantined messages are deleted after a fixed period set by your administrator. If a message has been purged, Message History won't show it and there's no way to get it back.
• You can't act on someone else's messages. Even if you're a catch-all recipient for a domain, the actions you take only affect mail that's queued against your mailbox or the catch-all addresses you cover.

Common scenarios

You're expecting an order confirmation that never arrived. Open Message History, leave the date range on the default 24 hours, and skim the list for the sender. If it's there, tick the checkbox, click Message Actions, pick Release Message(s) to Mailbox, and submit. If the same store's mail keeps getting quarantined, add their address to your allow list under Sender Filters so it doesn't happen again.

You want to release several legitimate newsletters all at once. Tick all of their checkboxes (or click the header checkbox to select everything and untick the ones you don't want), then use Message Actions with Release Message(s) to Mailbox.

You want to read a quarantined message before deciding what to do with it. Click the magnifying-glass icon in the View column. The page that opens shows the body and headers. Hit the Back button to return to Message History, then release it (or just leave it in quarantine to expire on its own).

You want to make sure something didn't sneak through that shouldn't have. Set the date range to a longer period (say, the last week), click Fetch Messages, and look through the table. The Score and Type columns tell you what Hermes thought of each message; the Action column tells you what it did.

Your administrator told you to "train" a message. If your account has training enabled, the Message Actions dropdown shows extra options: Train Message(s) as Spam, Train Message(s) as Ham (NOT Spam), and Remove Message(s) Previous Training. These tell the spam filter to learn from specific examples. Use them only when an administrator asks you to — they affect the filter's behaviour for everyone on the system, not just for you.

Frequently asked questions

How long do quarantined messages stay around? That's set by your administrator, not by you. It's typically a few weeks. Once the retention window passes, the message is deleted and cannot be recovered.

A message I released didn't arrive in my inbox. What now? Wait a couple of minutes — release isn't instant. If after five minutes it still hasn't arrived, check your mail client's spam or junk folder; once Hermes lets it through, your mail client may filter it independently. If it's nowhere to be found, contact your administrator.

Why doesn't the table show messages from a sender I know I've been blocking? Mail from senders on your block list is dropped silently — there's no record of it in Message History. That's deliberate. If you want to see those messages instead of having them dropped, remove the sender from your Sender Filters block list.

The date pickers default to the last 24 hours. Can I change the default? No — every visit starts on the last 24 hours. Use the date fields and Fetch Messages to look further back.

What's the difference between "Blocked" and "N/A" in the Action column? "Blocked" means the message was held in quarantine or rejected outright. "N/A" is for messages whose status doesn't fit those buckets cleanly — usually transient or partial states. Both are uncommon if you're just looking for normal mail.

Why does the same message sometimes appear twice with different scores? It doesn't, normally. But if a sender sent the same mail to you under multiple addresses (for example, your real address and a catch-all on your domain), you may see one row per delivery. The To column tells you which address each row was actually for.

Can I bulk-release everything from the last 24 hours? Yes — load the page, tick the header checkbox to select every visible row, then click Message Actions and choose Release Message(s) to Mailbox. Be careful: this will release real spam too, and you'll have to clean those out of your inbox by hand. Most people prefer to release only what they recognize.

Will Hermes remember that I released a message, so it doesn't quarantine the same sender again? No. A release just delivers that one message. If you want a sender to skip quarantine permanently, add them to your allow list under Sender Filters.

I'm a catch-all recipient for my domain. Will I see messages addressed to other people? You'll see messages addressed to addresses on your domain that don't belong to any real user — that's what "catch-all" means. You won't see messages addressed to your colleagues' real mailboxes; those belong to their own Message History.

Why is the "Export" or "Print" button only showing what's already on screen? The export buttons act on the rows the page has loaded into the table. If you want a wider export, raise the Search Results Limit in the top card before fetching, then export.

Where to next

• Turn quarantine notifications on or off — see Notification Settings
• Make a specific sender skip quarantine for good — see Sender Filters
• Change your password, recovery email, or timezone — see Account Settings

My App Passwords

My App Passwords

This is where you create and manage app passwords for your mailbox — the per-device credentials that mail apps, calendar apps, and contacts apps use to connect to your account.

If someone has just told you to "create an app password" to set up your email on your phone, this page is what they meant. The first few sections below explain what an app password is and why it exists; the rest is the step-by-step for actually using the page.

The short version

An app password is a separate password you create for each app or device that connects to your mailbox. It is not your main password. You can have as many app passwords as you want, and you can revoke any one of them without affecting the others.

You use:

• Your main password (the one you use to log into the website) when you sign in to the user portal or webmail in your browser.
• An app password when you set up the Mail, Calendar, or Contacts app on a phone, tablet, or computer.

This page is where you create, label, and revoke those app passwords. The typical workflow is: click Create App Password, type a label that tells you which device it's for ("iPhone", "Thunderbird", "Home laptop"), copy the password the page hands back, and paste it into the app on the device. From then on the device remembers it and you never have to think about it again — until one day you replace the device or lose it, at which point you come back here and click Revoke on that row.

This page only exists for mailbox users. If you're a relay-only user (your mail goes through Hermes but isn't stored here), the page will tell you app passwords aren't available for your kind of account, because you have no mailbox to connect to.

Why a separate password from your main one?

Three reasons.

1. You can disable one device without changing the others

Imagine your only password is your main password, and you set it up on your phone, your laptop, and your home computer. Then you lose your phone.

To prevent the lost phone from accessing your email, you would have to change your main password, then go back to the laptop and the home computer and re-enter the new password on each. Anything you missed would stop working. And the password would now be different from what you use to log into the website too.

With app passwords:

• You created one called "iPhone" for your phone.
• You created one called "Laptop" for your laptop.
• You created one called "Home" for your home computer.
• You lost your phone — you sign in to the user portal, click Revoke next to "iPhone", and that's it.
• Your laptop, your home computer, and your main website login are completely unaffected.

2. Apps cannot do two-factor authentication

When you log into the website, you are sometimes asked for a second factor — a code from an app, or a tap on Duo Push. That extra step keeps your account safer.

Mail apps, calendar apps, and contacts apps cannot ask you for a second factor. They can only send a username and a password, once, and that's it. If you used your main password in those apps, you would be giving them a way around the second factor entirely.

App passwords solve this cleanly: the website still asks for the second factor (because it can), and your apps use a separate, scoped password that has no special powers beyond mail/calendar/contacts access.

3. App passwords have less power than your main password

Your main password is the key to your whole account. An app password can only be used to access mail, calendar, and contacts. It cannot change your password, change your settings, or access anything else.

So if an app password is somehow stolen, the attacker can read your mail — bad, but not catastrophic. If your main password is stolen, the attacker can do anything you can do.

What an app password looks like

When you create one, the system generates a random string of about 30 characters that looks something like this:

xQ7kP2mN9vRtY8wJ3hF6aD1sZ4bC0nL5

You will see it once, on the screen, right after you create it. You should immediately:

1. Copy it (or scan the QR code the page also shows), and
2. Paste it into the app or device where you want to use it (or save it in a password manager).

After you leave that page, the system will not show it to you again. This is intentional — even an administrator cannot retrieve it. The system only stores a one-way scrambled fingerprint of the password, which is enough to check sign-ins but not enough to reveal the password itself. If you lose it before you set up your device, just revoke it and create a new one. There is no penalty for doing this.

You do not need to remember an app password. You will probably never type it manually. The whole point is that you set it once on the device and then forget about it.

What this page shows

There's one button at the top — Create App Password — and below it a card called Active App Passwords listing every app password that's currently working on your account. The columns are:

Column	What it shows
Label	The name you gave the app password when you created it.
Created	When you created it.
Last Used	When something last successfully signed in with it. Shows never if it's been minted but hasn't been used yet (for example, you created it but haven't finished setting up the device).
Action	A red Revoke button for that row.

If you have no active app passwords yet, the table is replaced with a short message pointing you at the Create button.

Below the active list, if you've revoked any app passwords in the past, there's a collapsed Revoked (most recent 50) card. Click the plus icon in its header to expand it. The revoked list is read-only and is just for your reference — it shows the label, the date it was created, and the date it was revoked.

Creating an app password

1. Click the blue Create App Password button near the top of the page. A small dialog opens.
2. In the Label field, type a short name for what you're setting up — something like iPhone, Thunderbird, Laptop, or Outlook on home PC. The label is for your eyes only; it just helps you remember which row is which when you eventually need to revoke one. (Up to 100 characters.)
3. Click Create.
4. The page reloads with a yellow callout at the top headed Your new app password. Inside the callout is the password itself — a 30-character random string in a monospace box — and a Copy button that puts it on your clipboard. Below the password box there's also a QR code.
5. Copy the password right now, or scan the QR code with your phone, and paste the result into the app or device you're setting up. If you're sitting at your laptop minting a password for your phone, the QR code is the easiest path — open your phone's camera or QR scanner, point it at the code, and your phone will offer to copy the text so you can paste it into the Mail app's password field.
6. Once you leave the page or refresh it, the password disappears and cannot be retrieved — not by you, not by your administrator.

If you closed the page before copying the password, or you mistyped it into the device and don't know which character was wrong, the fix is simple: revoke that row, create a fresh one, and use the new password instead. There's no penalty for doing this — you can mint and revoke as many as you need.

Revoking an app password

1. Find the row you want to remove in the Active App Passwords table.
2. Click the red Revoke button on the right side of that row.
3. A confirmation dialog appears asking "Revoke [label]?" with a red warning that the device using this password will be locked out immediately. Click Revoke to confirm or Cancel to back out.

The revocation takes effect right away. The next time the device tries to fetch mail, send mail, sync calendars, or sync contacts using that app password, it will get an authentication error — usually the device pops up a "password incorrect" prompt or shows a red exclamation point next to the account.

To restore that device's access, you create a fresh app password (using the steps above) and enter the new password where the device is asking. There's no way to undo a revocation — but creating a replacement only takes a minute.

The revoked row moves from the Active list to the Revoked (most recent 50) list below, where it stays as a record of what was revoked when.

What an app password is good for

Each app password lets a device sign in for:

• Mail (IMAP for reading mail, SMTP for sending mail)
• Calendars (CalDAV)
• Contacts (CardDAV)

So one app password for your phone is enough to set up the Mail app, the Calendar app, and the Contacts app on that phone — you don't need a separate password for each. The same is true for any other device that handles mail, calendars, and contacts together.

App passwords cannot be used to log into the user portal, change your account settings, or do anything else outside of mail/calendars/contacts. That limited scope is deliberate.

How many app passwords should you have?

One per device or app, with a label that tells you which is which. For example:

iPhone               (Mail app on your iPhone)
iPad                 (Mail and Calendar on your iPad)
Thunderbird          (the desktop mail client on your laptop)
Outlook on home PC   (the mail client on your personal computer)
Backup tool          (an automated mail backup tool, if you have one)

You can also use one app password for multiple things on the same device — for example, a single "iPhone" app password can be used by Mail, Calendar, and Contacts on that one phone — but the cleanest practice is one per device.

When to create or revoke one

Create a new app password when:

• You're setting up a new device or app for the first time (you got a new phone)
• You're replacing an existing device (create a new app password for the new phone, set it up, then revoke the old phone's app password)
• You forgot to copy one when you created it — just revoke that row and create a fresh one

Revoke an app password when:

• You lost a device — revoke that device's app password immediately. The lost device is then locked out, and your main password and other devices are unaffected.
• You stopped using a device or app — revoke its app password to keep your account tidy.
• You suspect an app password was stolen — revoke it. Even if you are not sure, revoking and creating a new one takes about a minute.

What about your main password?

You still have one, and you still use it for the website (and webmail, calendar, and contacts when you access them through the website). You should keep it strong, keep it private, and change it if you ever suspect it has been compromised.

What changes is that your main password no longer has to live on every device you own. It only ever leaves your head when you type it into the website. Your devices have their own credentials, and those credentials are limited to the apps they were created for.

Common scenarios

Setting up your first device. Click Create App Password, label it for the device (for example, iPhone), copy the password the page shows you, and paste it into the device's mail/calendar/contacts settings as the password. Your normal email address is the username. If you're following one of the mobile setup wizards under Set Up Your Devices, those wizards take care of generating and applying the app password for you and you may not need to visit this page at all.

Replacing a device. Create a new app password labelled for the new device (for example, iPhone (new)), set up the new device with it, confirm mail, calendar, and contacts all work, and only then revoke the old device's row.

Lost device. Open this page, find that device's row, click Revoke, and confirm. The lost device is locked out within seconds. Your other devices, your main password, and your webmail sign-in are completely unaffected.

Lost the password before you set up the device. Revoke the row you just created and create a fresh one. The label can be the same as before — it doesn't have to be unique.

You stopped using an app or device. Revoke its row. There's no harm in leaving old app passwords active, but keeping the list tidy makes it obvious which ones are real and which would never legitimately sign in.

Frequently asked questions

My phone is asking for a password I don't have. What do I enter? Sign in to the user portal, come to this page, click Create App Password, label it for the device you're setting up, copy the password it shows you, and paste it into the phone. That's the password the phone is asking for.

Why did the page only show the password once? Because the system never stores the actual password — only a one-way scrambled fingerprint of it. That fingerprint is enough to check whether the password a device sends in is correct, but it's not enough to reconstruct the password itself. The plaintext exists for a few seconds in your browser at creation time, and then it's gone. This is intentional and matches how every reasonable system handles passwords.

I copied the password but my device says it's wrong. What happened? The most common cause is a copy-paste mistake — a stray space, a missed character, or the device accidentally autocorrecting part of it. Try copying it again carefully. If it still doesn't work and you're already past the "shown once" screen, revoke the row and create a fresh one. The new password will work cleanly.

What does the label do? Nothing technical. It's a name you give the app password so that later, when you need to revoke one, you can tell at a glance which row is which. Hermes does not check the label against the device or care what's in it. Pick anything meaningful to you.

Can I rename a label later? No. Labels are set at creation and don't change. If a label became wrong over time (say you labelled it iPhone and you now use it on your iPad), the easiest fix is to revoke and re-create with the new label.

The Last Used column says "never" for a password I'm definitely using. "Last Used" is updated by the system when a sign-in succeeds. If your device is set up to check mail only on demand, or if it hasn't connected in a while, the column may lag. Give it a few minutes after the device next fetches mail and reload the page.

Can I share an app password with someone else? Don't. App passwords are device-scoped, but they are still credentials to your mailbox. If you need someone else to access shared content (a shared inbox, a shared calendar), the administrator can grant that access without sharing any password.

Will revoking an app password log me out of the user portal? No. The user portal uses your main password (and 2FA, if enabled), not an app password. App passwords are only used by mail, calendar, and contacts apps.

Does the QR code contain anything besides the password? No. It encodes the 30-character password and nothing else — no URLs, no account information, no metadata. Scanning it just puts the password on your phone's clipboard so you can paste it into the Mail app.

Where to next

• Set Up Your Devices — step-by-step mobile setup wizards that generate and apply an app password for you. Often the easiest path for phones and tablets.
• Account Settings — change your main password, set a recovery email, manage two-factor authentication.

Notification Settings

Notification Settings

If you have ever wondered whether Hermes is going to email you every time it blocks a suspicious message, this is the page that controls that.

The short version

Quarantine is the holding area where the system puts messages it thinks might be spam, scams, or viruses. Instead of letting those messages into your inbox, Hermes sets them aside so you can decide what to do with them.

This page has one setting: Quarantine Notifications. When it is Enabled, Hermes sends you a short email each time a new message is put into quarantine for you. That email includes a one-click Release Message button — if the message is actually something you wanted (a real order confirmation, a real invoice, a real newsletter), you click the button and Hermes delivers it to your inbox. You do not need to log in.

When it is Disabled, Hermes still quarantines suspicious messages, but it does not email you about them. You would only find them by going to the Message History page in this user portal and looking yourself.

Most people leave it Enabled. That way nothing important sits in quarantine without you knowing about it.

Why this setting matters

The whole point of a mail gateway is that it makes a judgement call for you about which messages look risky. Most of the time it is right. Occasionally it sets aside something you actually wanted — a receipt from a store you do not buy from often, a one-time password from a service you rarely use, an email from a new contact.

You have two ways to catch those mistakes:

• Quarantine Notifications turned on. Hermes emails you about each quarantined message as it happens. You see them in your inbox the same way you see any other email. If one of them is legitimate, you click the Release Message button right from the notification, and the message arrives in your inbox a minute later.
• Quarantine Notifications turned off. Nothing arrives. You have to remember to visit the Message History page on this site every so often to look for messages you might have missed.

The first option is easier and that is why it is the default. The second option means a quieter inbox, but you have to be disciplined about checking Message History.

The setting on this page

Quarantine Notifications

This dropdown has two choices:

• Enabled (the default) — Hermes emails you once for every message it quarantines for you. Each email has a Release Message button you can click without logging in.
• Disabled — Hermes does not email you about quarantined messages at all. You can still see them by visiting the Message History page in this user portal.

To change it, pick the option you want from the dropdown and click Save Settings. The change takes effect right away — the next message that gets quarantined will follow your new preference.

If you do not change anything on this page, it stays Enabled.

Common scenarios

You want to know about every quarantined message as it arrives. Set Quarantine Notifications to Enabled. This is the default. You will get one email per quarantined message, with a Release Message button.

You are tired of getting emails about spam. Set Quarantine Notifications to Disabled. You will not hear from Hermes about quarantined messages anymore. Plan to visit Message History every few days so legitimate mail does not sit in quarantine indefinitely.

You are going on vacation and do not want a pile of notification emails waiting for you. You can leave Notifications Enabled — the notifications themselves are short and easy to delete in a batch — or set it to Disabled before you leave and back to Enabled when you return. Either is fine.

You missed an important email and you are not sure if Hermes quarantined it. The setting on this page does not change what is in quarantine — it only changes whether you are notified. Go to Message History to look for the message regardless of what this setting is on.

Frequently asked questions

If I turn notifications off, will Hermes stop quarantining messages? No. Hermes always decides what to quarantine the same way. This setting only controls whether you get an email about it.

Will I get one giant email at the end of the day, or one email per message? One email per message, as each one is quarantined. There is no daily summary option on this page.

The notification email has a Release Message button. Is it safe to click? Yes. The button is a one-time link tied to that specific message and your specific mailbox. Clicking it tells Hermes "this message was fine, please deliver it." It does not require you to log in, and it does not affect any other messages.

I clicked Release Message by mistake. What happens? The message gets delivered to your inbox. You can simply delete it from there if it was not something you wanted. There is no way to "un-release" a message, but releasing a real spam message does no real harm — it just lands in your inbox like any other email, and you delete it.

I am not getting any notification emails even though this is set to Enabled. What is wrong? First, check your inbox's own spam folder — sometimes the notification emails themselves get filtered. If they are not there either, contact your administrator: it may be that Hermes is not configured to send notifications at all, or there may be a delivery problem to your mailbox.

Can I get notifications for other people's quarantined messages, like a shared mailbox? This setting only controls notifications for messages addressed to you. Shared mailbox notifications, if available, are managed separately by your administrator.

Does turning notifications off delete the messages in quarantine? No. The messages stay in quarantine and you can still find them on the Message History page. The setting only controls whether you get an email about them.

How long do quarantined messages stay around? That is set by your administrator, not by you. It is typically a few weeks. Once a quarantined message expires, it is deleted and cannot be recovered, so do not rely on quarantine as long-term storage.

Where to next

• Releasing a quarantined message from the portal — see Message History
• Stopping mail from a specific sender from being quarantined at all — see Sender Filters
• Changing your password or other account preferences — see Account Settings

Personal Signature

Personal Signature

This page lets you create the signature that gets added to the bottom of every email you send through Hermes.

The short version

A personal signature is the little block at the end of a message that tells the recipient who you are — usually your name, your title, your contact details, sometimes a logo, sometimes a link or two. On this page you build that signature once, click Save, and from then on Hermes appends it to every message you send out through the system. You don't have to copy and paste it into each new message.

The editor lets you do the things you'd expect: type and format text, change colors, add bullet lists, insert images and tables, drop in links. There's a small gallery of starter templates so you don't have to build something from scratch unless you want to, and there's a Preview button so you can see what the signature will look like below an actual message before you save it.

You can turn the signature off at any time with a single toggle at the top of the page — your saved signature stays put, it just stops being appended to your outbound mail until you turn it back on.

What the page shows

There's one card on the page, titled Personal Signature. From top to bottom it has:

• An Append my personal signature to outbound messages toggle. This is the master switch. When it's off, nothing else on the page matters — no signature gets added to your mail.
• A Start from a template dropdown with five curated layouts you can load with one click.
• The editor itself — a what-you-see-is-what-you-get area where you type and format your signature, with a toolbar across the top for bold, italics, headings, colors, lists, alignment, links, and image upload.
• Insert table buttons (2×2, 2×3, 3×3, 3×4) for adding a simple table layout below the editor.
• An image Width strip with preset buttons (100 px, 150 px, 200 px, 300 px), a custom-pixel input, and a Reset button.
• A help note listing the image format and size limits.
• A Preview button and a Save Signature button along the bottom.

If your administrator has turned off user-managed signatures for your domain, you'll see a grey Personal Signatures Disabled notice instead of the editor, and the Personal Signature item is also hidden from the sidebar. See "What this page does NOT do" below for what that means.

Creating your first signature

The fastest way to get a working signature is to start from a template and edit the placeholder text. Here's the flow:

1. Pick a template from the Start from a template dropdown. The editor fills with that template's layout.
2. Edit the placeholder text — replace Your Name, Your Title, the example email address and phone number, the example URL, and so on, with your own information.
3. Adjust the formatting if you want — make a line bold, change a color, add a bullet list, insert an extra paragraph.
4. If the template includes a logo placeholder line, click the image icon in the toolbar to upload your actual logo, then click the inserted image and pick a width from the Width buttons below the editor.
5. Click Preview to see how the signature will look at the bottom of a sample message. Adjust if needed.
6. Click Save Signature.

You should see a green confirmation banner. From that point on, every new message you send through Hermes gets the signature appended at the bottom.

Editing an existing signature

Open the page and your saved signature appears in the editor automatically. Change whatever you want and click Save Signature again. The new version replaces the old one immediately — the next message you send uses the updated signature.

To start completely over, pick a different template from the dropdown — it'll ask you to confirm before overwriting your current content, then loads the new template. You can also clear the editor by selecting all the text (Ctrl-A or Cmd-A) and pressing Delete.

To temporarily turn the signature off without losing it, untick Append my personal signature to outbound messages at the top of the card and click Save. Your signature stays saved; it just isn't appended to mail until you tick the toggle again.

Adding images

Click the image icon in the editor toolbar to upload an image from your computer. The image is embedded directly in your signature and appears inline in outbound mail — the recipient sees it next to your text, not as a separate attachment.

There are a few limits to know about:

• 10 images maximum per signature.
• 200 KB per image (resize a large photo or logo before uploading).
• 1 MB total across all images in your signature.
• PNG, JPEG, and GIF only. SVG and WebP aren't supported because not every mail client renders them reliably.

After inserting an image, click it in the editor to select it (it gets a thick blue ring and a "checkmark" badge to confirm it's selected), then pick a width from the Width buttons or type a custom pixel value into the input and click Apply. Reset clears the width and lets the image use its natural size. The width sticks to that image — if you have two logos at different sizes, click and resize each one separately.

If you skip the size limit, the save will fail with an explanation of which limit was hit. Just resize the image (or remove one) and try again.

Using the templates

There are five starter templates in the dropdown. Each one drops a different layout into the editor, with example text you replace with your own:

• Minimal — name + contact only. Your name, title, email, phone. No frills, fits in three or four lines.
• With logo placeholder. Same as Minimal, plus a note at the top reminding you to upload your logo using the toolbar image button. Adds organization, web address.
• With Schedule-a-Meeting link. Compact contact block with a "Book time on my calendar" link suitable for Calendly, Outlook Bookings, or similar.
• With social media icons. Contact details plus a row of small (24-pixel) brand-colored icons for LinkedIn, X, GitHub, Instagram, Facebook, and a website link. Just edit the URLs.
• Comprehensive — logo + contact + meeting + social. Everything: logo placeholder, name and title, multiple phone numbers, address, scheduling link, and the row of social icons. Use this if you want the works and then trim what you don't need.

Picking a template replaces whatever is currently in the editor. If the editor already has content, you'll be asked to confirm before it gets overwritten.

The templates use generic placeholder text like Your Name and you@domain.tld on purpose. Replace it manually with your own information before saving.

Adjusting image width

Hermes uses a click-then-pick model for resizing images, instead of drag handles. After inserting an image:

1. Click the image in the editor. A blue ring appears around it confirming it's selected, and the status line above the Width buttons updates to "Image selected (current width: ...)".
2. Click one of the preset width buttons: 100 px, 150 px, 200 px, or 300 px.
3. Or type a custom width (between 10 and 2000 pixels) into the input box and click Apply.
4. Click Reset to remove the size override and let the image use its natural dimensions.

A few sensible widths to start with: 100 px for small social icons, 150–200 px for a typical organization logo, 300 px for a wider banner image. If you're not sure, save it, send a test message to yourself, and adjust.

Preview before sending

Click the Preview button (next to Save Signature) to see what your signature will look like in an actual email. A preview panel appears below the editor showing a short sample message body with your signature attached underneath, separated by a thin grey line — roughly the way it'll look when a recipient opens your mail.

The Preview is an approximation. Different mail clients (Gmail, Outlook, Apple Mail, Thunderbird) each render HTML slightly differently, so the exact appearance can vary. If exact fidelity matters, send a test message to yourself or to a colleague and check it in the actual mail app they use.

Click the X in the corner of the preview panel to close it.

What this page does NOT do

A few honest limitations worth knowing about up front:

• It only applies to mail you send through Hermes. That means mail sent via Webmail in this portal, or via a mail app on your phone or computer that's set up to send through the Hermes mail server. If you also use a different mail provider for some of your mail — a personal Gmail, your old work account on another system — the signature on this page does not apply there.
• The signature gets appended after your message body — it isn't inserted as you compose. So when you're writing in Webmail or a desktop mail client, you'll see the message body without the signature. Hermes adds the signature at the moment the message leaves the mail server. The recipient sees it at the bottom of the mail; you won't see it in your Sent folder unless your mail client also fetches the delivered copy.
• It applies to every outbound message — new mail and replies alike. There's no option to add it only to new mail and skip replies.
• It doesn't override an organizational signature your administrator may have set. If your organization has a centrally-managed signature with the company logo, address, and disclaimer, that one is added by the mail server too — your personal signature appears on top of it, not instead of it. If you only want the organizational signature, just untick the Append my personal signature toggle and save.
• Some advanced HTML doesn't survive the editor. The editor is a rich-text editor, not a raw HTML tool — pasted code with custom CSS, styled buttons, or complex table layouts will be simplified to what the editor supports. If you need a precisely designed signature, work within the editor rather than pasting in something built elsewhere.

Common scenarios

Setting up your first signature. Pick Minimal or With logo placeholder from the template dropdown. Replace the placeholder text with your real name, title, email, and phone. If you picked the logo template, click the image icon in the toolbar, upload your organization's logo, click it, and pick 150 px or 200 px for the width. Click Preview. If it looks right, click Save Signature.

Adding a company logo to a signature you already have. Click in the editor where you want the logo to go (usually at the top, on its own line). Click the image icon in the toolbar and upload the logo file. Click the inserted image to select it, then pick a width — 150 px is a safe starting point. Click Save Signature.

Switching to a different template without losing your contact info. Picking a template overwrites everything in the editor, so before you switch, copy the lines you want to keep (highlight, Ctrl-C or Cmd-C). Pick the new template, then paste your saved lines into the appropriate place and delete the template's placeholder versions. Save.

Using one signature on your phone and your computer. This page's signature is added by the Hermes mail server when your message goes out, so it shows up regardless of whether you sent the message from Webmail, from Apple Mail on your phone, or from Outlook on your laptop — as long as you're sending through Hermes. You don't need to configure a separate signature in each app. In fact, if you've previously set up signatures inside your phone's Mail app or your desktop client, you should delete those, or you'll get two signatures stacked on top of each other.

Turning the signature off for a while without deleting it. Untick Append my personal signature to outbound messages at the top of the card and click Save Signature. Your signature content stays saved exactly as it was. Tick the toggle again and save when you want it back.

Frequently asked questions

Why doesn't my signature show up on my phone? Two possibilities. First, your phone may be set up to send mail through a different account (a personal Gmail, an old work account), not through Hermes — in which case Hermes never sees the message and can't add your signature. Check your phone's mail account settings. Second, your phone's own Mail app may have its own built-in signature setting that's overriding nothing here — Hermes still adds yours when the message arrives at the mail server, so the recipient sees it. The signature just won't appear inside your phone's compose window while you're writing.

Can I have different signatures for different recipients or different domains? No — this page supports a single signature that applies to all your outbound mail. If you need different signatures for different audiences (internal vs. external, English vs. French), you'd need to add the alternative text manually before sending the message.

Why is my image being shrunk or stretched? The width you pick with the Width buttons gets stored on the image itself. If the image looks wrong, click it in the editor (you'll see the blue selection ring), then pick a different width or click Reset to use the image's natural size. If the image still looks off, the source file might have an unusual aspect ratio — try resizing the original image with an image editor and re-uploading.

Why does the preview look different from what arrives in the recipient's inbox? Different mail clients render HTML differently. The preview shows roughly what the signature will look like in a typical web mail client, but Outlook on Windows in particular has some quirky HTML rendering. For an exact check, send a test message to yourself and look at it in the same mail client your recipients use.

How do I remove my signature entirely? Two ways. To turn it off but keep the content saved, untick Append my personal signature to outbound messages and click Save. To delete it completely, select all the text in the editor (Ctrl-A or Cmd-A), press Delete to empty the editor, then click Save.

Does the recipient see images as inline pictures or as attachments? Inline. Hermes embeds the images directly into the message in a way that mail clients display next to your text, not as a list of attachments at the bottom of the message. If a recipient's mail client is configured to block remote images for privacy, they might see a placeholder until they click "Show images" — but the image data is part of the message, not loaded from an outside server.

Can I include a clickable phone number or address? Yes. Highlight the text, click the link icon in the toolbar, and paste a tel:+15555550100 URL for phone numbers or a https://maps.google.com/?q=... URL for an address. On phones and tablets, tapping the link will open the dialer or maps app.

Can I include a quote or a small disclaimer at the bottom? Yes. The editor supports a blockquote style — highlight the text and click the blockquote button (it looks like a quotation mark) in the toolbar. For a plain disclaimer line, just type it as regular text. Keep in mind any organizational disclaimer your administrator has set will also be added by the mail server.

I don't see the Personal Signature item in the sidebar. A few reasons. If your account isn't a mailbox user (for example, you're on a relay-only account), the page doesn't apply to you. If your administrator has disabled user-managed signatures for your whole domain, the page is hidden — in that case your organization's signature, if any, is added automatically and you don't manage it yourself. If you've recently enabled 2FA on a 2FA-required account but haven't completed enrollment, the rest of the portal is locked down until you finish.

Where to next

• Account Settings — change your display name and email-related preferences. Your name and contact details in your signature aren't pulled from there automatically; you type them into the editor directly.
• Webmail & Apps — where you actually compose the mail your signature gets added to.
• Set Up Your Devices — guides for configuring your phone, tablet, and desktop mail apps to send through Hermes. (Heads up: signatures you configure on this page apply to mail sent through Hermes — so if your device is set up to send through a different mail server, the signature here won't appear on that mail.)

Sender Filters

Sender Filters

This is where you tell Hermes to always let mail from a specific sender through, or to always silently drop it, regardless of what the spam filter would normally do.

The short version

Hermes makes its own judgement about every incoming message. Most of the time it gets it right, but sometimes a newsletter you actually want ends up in quarantine, or a sender you've stopped caring about keeps trickling into your inbox. Sender Filters let you override that judgement for specific people or domains, just for your own mailbox.

You can do two things on this page:

• Add a sender to your allow list, so messages from them always get delivered to your inbox and never get held in quarantine for being spam.
• Add a sender to your block list, so messages from them get silently dropped and you never see them.

Your filters apply only to mail addressed to you. Other people in your company are not affected, and they have their own filter lists of their own.

Why you would use this page

There are two situations where you'd come here.

A sender you want keeps getting quarantined. Maybe it's a newsletter you actually signed up for, or alerts from a vendor portal, or shipping notifications from a small online store. Every time one comes in you have to release it from quarantine. Add the sender to your allow list once and Hermes will stop second-guessing it.

A sender you don't want keeps reaching your inbox. Maybe a former contact still emails you, or a marketing list you can't unsubscribe from keeps slipping through. Add the sender to your block list and you won't see their messages anymore.

You don't need to use this page for normal day-to-day mail. The spam filter handles most senders correctly on its own. This page is for the cases where you want to take direct control.

How the page is organized

When you open Sender Filters, you'll see two buttons at the top of the card:

• Add Sender — opens a small form for adding a new filter.
• Delete Sender(s) — removes any filters whose checkboxes you've ticked in the table below.

Below the buttons, there's a yellow note reminding you what an Allow filter does (and doesn't) — covered further down on this page.

Below that is a table listing all the filters you've already set up. Each row has:

Column	What it shows
(checkbox)	Tick this if you want to delete the row. The header checkbox selects all rows at once.
Sender	The email address or domain you added the filter for.
Receiver	Your own email address (this is always you — your filters only apply to mail addressed to you).
Action	A green Allow badge or a red Block badge.

If you haven't set up any filters yet, the table is replaced with a short message telling you to click Add Sender to create your first one.

Adding an allowed sender

1. Click Add Sender at the top of the page. A small form appears.
2. In the Sender E-mail Address or Domain box, type either:
   • A full email address, like newsletter@example.com — the filter applies only to that one address.
   • A domain, like example.com — the filter applies to every sender at that domain.
   • A domain prefixed with a dot, like .example.com — the filter applies to that domain and every subdomain of it (so mail.example.com, news.example.com, and so on are all covered).
3. In the Select Action to Take dropdown, leave it on Allow (this is the default).
4. Click Submit.

The new filter appears in the table with a green Allow badge. From now on, mail from that sender will skip the spam filter and be delivered to your inbox.

Adding a blocked sender

The steps are the same as adding an allowed sender, except in step 3 you choose Block from the dropdown instead.

The new filter appears with a red Block badge. From now on, mail from that sender will be silently discarded. You will not get a notification, the sender will not get a bounce, and the message will not appear in your Message History — it will simply not exist as far as your mailbox is concerned.

Editing or removing a filter

There is no "edit" — if you want to change a filter (for example, switch a sender from Allow to Block, or correct a typo in an address), you remove the old one and add a new one.

To remove a filter:

1. Tick the checkbox in the leftmost column of the row you want to remove. You can tick more than one, or tick the header checkbox to select all of them.
2. Click Delete Sender(s) at the top of the page.
3. A red confirmation box appears asking "Are you sure?" Click Yes to confirm or No to back out.

Deletion is immediate and cannot be undone, but if you remove the wrong row by mistake you can just add it back.

What this page does NOT do

A few important limits:

• Allow does not let dangerous attachments through. If a sender is on your allow list but sends you a message with a virus or a banned file type, the message is still blocked. Allow only tells the spam filter to back off — it does not turn off virus scanning or attachment rules.
• Filters are per-user. Adding newsletter@example.com to your allow list does not affect anyone else in your company. If a colleague has the same problem they need to add their own filter.
• You can't filter yourself. Hermes will not let you allow or block your own email address or your own email domain, because that would create odd situations with mail you send to yourself or to coworkers.
• Blocked mail is gone for good. Blocked messages are not put in quarantine — they are dropped. There is no "blocked items" folder to dig through later. If you might want the messages eventually, leave the sender alone and let the spam filter handle them normally.

Common scenarios

A newsletter you actually want keeps ending up in quarantine. Add the sender's email address (or their domain, with a leading dot to cover subdomains) with the Allow action. The next message they send will be delivered straight to your inbox.

A marketing list won't stop emailing you and the unsubscribe link doesn't work. Add the sender's email address with the Block action. You'll stop seeing the messages immediately.

You're suddenly getting spam from many different addresses, but they all end in @spammydomain.tld. Add spammydomain.tld with the Block action. Every sender at that domain is blocked in one go. If the spammers are also using subdomains, use .spammydomain.tld (with the leading dot) to catch those too.

You changed your mind about a sender you blocked. Find them in the table, tick the checkbox, and click Delete Sender(s). They'll go back to being filtered normally by the spam filter — they aren't automatically allowed; the block is just removed.

Frequently asked questions

Do I have to fill in the Receiver field? No. You don't see a Receiver field when adding a filter — it's always you. The Receiver column in the table just confirms that the filter belongs to your mailbox.

What happens if I add the same sender twice? Hermes tells you the sender already exists and doesn't add a duplicate. If you want to change Allow to Block (or the other way around), delete the existing row first and then add it again with the new action.

Can I use wildcards like *@example.com? You don't need to. Entering just example.com already matches every sender at that domain. Add a leading dot (.example.com) if you also want to match subdomains.

Does an Allow filter mean the sender's mail bypasses virus scanning? No. Allow only bypasses the spam filter. Virus scanning, banned attachment types, and other safety rules still apply.

Does a Block filter send a bounce back to the sender? No. Blocked messages are silently discarded — the sender gets no feedback either way. They have no way of knowing you've blocked them.

Will I get a notification email when a blocked message is dropped? No. Blocked messages don't generate notifications and don't appear in Message History. From your point of view, they never arrived.

Can my administrator see or change my sender filters? Your administrator can see them in the underlying system, but day-to-day they aren't managed by anyone but you. If you can't figure out why a particular sender is or isn't getting through, your administrator can investigate.

I added a filter but it doesn't seem to be working. What now? Double-check that the sender's address in the row matches what's actually in the From of their messages — typos are easy to make. If it still doesn't behave the way you expect, contact your administrator; there may be other rules in the system (organization-wide policies) that take precedence over a personal filter.

Where to next

• Releasing a single message from quarantine without setting up a permanent filter — see Message History
• Turning the quarantine notification emails on or off — see Notification Settings
• Changing your password or other account preferences — see Account Settings

Set Up Your Devices

Set Up Your Devices

This page walks you through connecting your phone, tablet, or desktop email program to your Hermes mailbox — so that messages, calendar events, and contacts all show up in the apps you already use.

The short version

Setting up a device means telling Mail, Calendar, and Contacts on that device where your server is and giving them a credential they can use to sign in. The Set Up Your Devices wizard turns that into a pick-list: you choose what kind of device you have, and it gives you exactly the right instructions for it.

There are seven options on the picker:

• iPhone, iPad, or Mac (Apple apps) — generates a downloadable profile that sets up Mail, Calendar, and Contacts in one tap. The wizard mints the app password for you automatically.
• Android — install two apps (DAVx5 for calendar/contacts, K-9 Mail or Thunderbird for Android for mail), then sign in with one app password.
• Thunderbird (Windows / Mac / Linux) — Thunderbird auto-discovers everything from your email address; you just paste the app password.
• Microsoft Outlook (Windows) — Outlook autodiscovers mail; the free CalDAV Synchronizer add-in handles calendar and contacts.
• Microsoft Outlook (Mac) — Outlook handles mail only; the built-in macOS Calendar and Contacts apps handle the rest (Outlook for Mac has no calendar/contacts sync of its own).
• Linux desktop — a reference card with server, port, and encryption settings for Evolution, KMail, Geary, Claws, or any other Linux client.
• Web only — skip device setup entirely and use webmail in your browser. No app password needed.

Whichever you pick, the goal is the same: one app password per device, used for mail, calendar, and contacts together. If you've never heard of app passwords before, see My App Passwords — but for the Apple path you don't have to think about it; the wizard handles it for you.

Before you start

A few things go more smoothly if you have them ready:

• Your full email address. This is your username for every device.
• The device you're setting up, ideally within reach. For the Apple path, you'll scan a QR code with the device's camera; for the other paths you'll paste an app password into the device.
• A label in mind for this device — something like iPhone, Work laptop, Sarah's iPad. It only has to make sense to you; it shows up later in My App Passwords so you can revoke that device's access by name.
• Two-factor authentication already set up on your account (recommended). Device setup itself doesn't depend on it, but if you don't have 2FA on yet, doing it before you set up devices avoids backtracking. See Account Settings.

Setting up iPhone or iPad (and Mac with Apple Mail)

This is the smoothest path on Hermes: one downloadable profile sets up Mail, Calendar, and Contacts together, and the wizard mints and embeds the app password for you so you never see it.

1. On the device picker, click iPhone, iPad, or Mac (Apple apps).

2. Fill in the form:

   • Device label — a name you'll recognize (the default is iPhone; change it if needed). This shows up in My App Passwords later.
   • Display name (optional) — how the account appears inside Mail/Calendar/Contacts on the device. Defaults to your email address if left blank.

3. Click Generate Setup Profile. Hermes mints a fresh app password for this device, builds and signs a .mobileconfig profile containing the IMAP, SMTP, CalDAV, and CardDAV settings, and then opens the result page.

4. The result page shows two ways to get the profile onto your device. Pick one, not both — the link works exactly once and expires after 30 minutes.

   • Scan with your phone or iPad — if you ran the wizard on a desktop computer, point your phone's camera at the QR code on screen. Tap the link that pops up to open it in your phone's browser. You may be asked to sign in (use your normal email and password as you would for this portal). The profile downloads automatically.
   • Install on this device — if you're already on the iPhone, iPad, or Mac you want to set up, just click the Download profile button.

5. On the device, install the profile.

   • iPhone or iPad: Open Settings, then General, then VPN & Device Management. Tap the Hermes profile and tap Install. iOS will ask for your iPhone passcode to confirm — this is iOS protecting itself, not a Hermes password. Tap Install again to confirm.
   • macOS: Open System Settings, then Privacy & Security, then Profiles. Double-click the profile and click Install.

6. Within a minute or two, the Mail, Calendar, and Contacts apps on the device will show your new account. You don't need to enter any other passwords — the profile carries them.

If you accidentally close the result page, miss the install prompt, or burn the link by clicking the wrong option, just go back to the wizard and generate a fresh profile. There's no penalty for redoing it.

Setting up Android

Android needs two apps: DAVx5 for calendar and contacts, plus a mail app for email. Both work with the same app password.

1. On the device picker, click Android.

2. Mint an app password first. Open My App Passwords in the sidebar, click Create App Password, label it for this device (e.g. Pixel 8), and copy the password it shows you. You'll paste this into both apps below. Keep the password handy; it's only shown to you once.

3. Install DAVx5 from F-Droid or Google Play.

4. Install K-9 Mail or Thunderbird for Android (these are the same app — Thunderbird for Android is K-9 rebranded — so just pick whichever name you prefer).

5. Set up email. Open the mail app, choose Add account, enter your full email address and the app password. The app autodiscovers IMAP and SMTP. Tap Done.

6. Set up calendar and contacts. Open DAVx5, tap the + button, choose Login with URL and username, and fill in:

   • Base URL — shown on the wizard page for you (it's https://your-mail-server/nc/remote.php/dav/).
   • Username — your full email address.
   • Password — the same app password from step 2.

   Tap Login. DAVx5 discovers your calendars and address books. On the next screen, enable Calendar and Contacts sync and grant DAVx5 the permissions Android asks for — that's how the synced data shows up in Android's built-in Calendar and Contacts apps.

Setting up Thunderbird (Windows / Mac / Linux)

Thunderbird is the easiest desktop path: it auto-discovers mail, calendar, and contacts. You won't type a single server name.

1. On the device picker, click Thunderbird (Windows/Mac/Linux).
2. Mint an app password for this computer in My App Passwords, label it (e.g. Work laptop), and copy the password.
3. In Thunderbird, choose File → New → Existing Mail Account (or use the first-run setup on a fresh install).
4. Enter your name (how you want messages to be signed), your email address, and paste the app password. Click Continue. Thunderbird discovers IMAP and SMTP automatically.
5. After mail finishes, Thunderbird usually shows a "Connect your linked services" page listing Calendar and Address Book. Click Connect on each; paste the same app password if asked.

If "Connect your linked services" doesn't appear (some Thunderbird versions skip it), the wizard page tells you exactly how to add Calendar and Address Book manually — the URL is shown on screen.

Setting up Microsoft Outlook (Windows)

Outlook on Windows handles email natively. For calendar and contacts you'll install the free CalDAV Synchronizer add-in.

1. On the device picker, click Microsoft Outlook (Windows).
2. Mint an app password for this computer and copy it.
3. In Outlook, choose File → Add Account, enter your full email address, and paste the app password when prompted.
4. Close Outlook, download CalDAV Synchronizer from the link on the wizard page, and run the installer.
5. Re-open Outlook. A new CalDav Synchronizer ribbon tab appears. Open Synchronization Profiles → Add new Profile, pick Nextcloud as the profile type, and fill in your email and the same app password.
6. Click Test or discover settings — you'll see a list of your calendars and address books. Pick one calendar (or address book) per profile, choose the matching Outlook folder, save, and repeat for each one you want to sync.

Setting up Microsoft Outlook (Mac)

Outlook for Mac doesn't speak CalDAV or CardDAV at all, so calendar and contacts have to live in macOS's own Calendar and Contacts apps. The wizard page walks you through all three apps in order. If you only use Apple Mail, Calendar, and Contacts on the Mac, the iPhone, iPad, or Mac (Apple apps) path is faster — one downloadable profile sets up all three.

Setting up a Linux desktop

The wizard's Linux page is a settings reference card — server name, ports, encryption type — that works for any Linux mail or PIM client (Evolution, KMail, Geary, Claws, and so on). Mint an app password from My App Passwords, then plug the values shown on the wizard page into your client's account setup. For Thunderbird on Linux, use the dedicated Thunderbird walkthrough — it auto-discovers everything.

Just using the webmail

If you don't want to set up any apps at all, pick Web only on the device picker. The wizard gives you a single button that opens webmail in your browser. No app password is needed for webmail — it uses your normal login. Webmail is fully responsive and works on phones and tablets too, so you can use it from anywhere with a browser.

What gets created behind the scenes

For the Apple path, the wizard mints a brand-new app password for that device and embeds it in the downloadable profile. You never see the password — it lives inside the profile, which iOS or macOS hands directly to the Mail, Calendar, and Contacts apps. The new app password also shows up as a row in My App Passwords under the label you chose.

For every other path, you create the app password manually in My App Passwords before plugging it into the device. Either way, the result is the same: one app password per device, identified by its label, listed in My App Passwords, and revocable in a single click.

Removing a device's setup

To stop a device from being able to fetch mail, calendars, or contacts:

1. Open My App Passwords in the sidebar.
2. Find the row matching the device's label.
3. Click Revoke and confirm.

Within seconds, the device is locked out. Your other devices and your portal login are completely unaffected. If you want to re-add that device later, just run the setup wizard again with a fresh label.

Common scenarios

First-time phone setup. Pick the path for your phone (iPhone/iPad or Android). The wizard does everything in one go for Apple devices; for Android you'll create an app password first and then plug it into two apps.

You got a new phone and want to move setup over. Run the wizard fresh for the new phone — pick a new label like iPhone (new). Confirm mail, calendar, and contacts all work on the new device, then go to My App Passwords and revoke the old device's row. Old phone is now locked out; new phone keeps working.

You want to add a tablet that uses the same mailbox. Run the wizard separately for the tablet, with its own label (iPad). One app password per device is the cleanest model.

The QR code didn't scan. Try moving the phone closer or farther, or use better lighting. If it still won't scan, click the Download profile button instead. If you're not on the same device, you can save the file, then AirDrop or email it to the phone. The token still has to be used within 30 minutes either way.

The 30-minute link expired before you got to install. Run the Apple wizard again — it'll generate a fresh profile and a fresh link. The old app password row will still be in My App Passwords; if you don't want it cluttering the list, revoke it.

Frequently asked questions

What is a configuration profile? Is it safe? A configuration profile is a small file that tells iOS or macOS exactly how to set up an account. The one Hermes generates only configures Mail, Calendar, and Contacts to talk to your mailbox — it doesn't install software, change settings outside of those three apps, or send anything outside your network. The profile is digitally signed by Hermes, so iOS will identify it as coming from your mail server rather than as an unknown profile.

Why does iPhone ask for my passcode when I install the profile? That's iOS confirming that you — the person physically holding the phone — are the one installing it. It's an iOS protection that applies to every configuration profile, regardless of where it came from. The passcode you enter is your iPhone unlock code; Hermes never sees it.

Can I set up Apple Mail without scanning the QR code? Yes. Click Install on this device instead of scanning. That downloads the .mobileconfig file directly. If you're already on the iPhone, iPad, or Mac you want to set up, that's the quickest path. The QR exists for the case where the wizard is open on your desktop and you need the profile on a different device.

What if I lose my phone? Go to My App Passwords, find the lost device's row, and click Revoke. The lost phone is locked out within seconds. Your other devices and your main login are unaffected. When you get a new phone, run the setup wizard again for it.

Do I have to redo this every time I get a new phone? Yes — each device gets its own app password tied to its own label, so a new phone needs a new run through the wizard. It only takes a minute or two for the Apple path.

Why am I being asked for a "password" on the device when the profile is supposed to contain it? For the Apple path, the profile contains the password and the device shouldn't ask. If iOS does ask, it's usually safe to tap Skip — iOS will pull the password out of the profile automatically. If skip isn't offered, paste the password from the profile note. (For non-Apple devices, the password is the app password you just minted in My App Passwords.)

I see two rows in My App Passwords for the same device. Why? You probably ran the wizard twice. Each run mints a fresh app password whether or not the old one is still working. The newest one is in use; you can safely revoke the older row once you've confirmed the device is happy.

Can my administrator see the app password the wizard created? No. Even the system itself doesn't store the actual password — only a scrambled fingerprint of it, which is enough to check sign-ins but not enough to reveal the password. For the Apple path the plaintext lives only inside the signed profile file that gets handed to the device.

My device says my password is wrong even though I just set it up. For non-Apple paths, the most common cause is a copy-paste mistake — a stray space or a missed character. Revoke that row in My App Passwords, mint a fresh one, and try again. For the Apple path, generate a fresh profile and reinstall — the old app password can be revoked afterward.

Will setting up a new device disconnect my old ones? No. Each device has its own independent app password. Setting up a new one doesn't affect anything that's already working.

Where to next

• My App Passwords — manage the per-device credentials created by this wizard, see when each device last connected, and revoke any device's access in one click.
• Account Settings — set up two-factor authentication, change your password, set a recovery email. Ideally done before setting up devices.
• Vacation Auto-Reply — set an out-of-office message that runs on the server, so it works whether or not your devices are online.

Shared Folders

Shared Folders

This is where you let other people in your organization see one of your mailbox folders in their own mail app — and where you see folders that other people have shared with you.

The short version

A shared folder is one of your mailbox folders — an Inbox subfolder, your Sent folder, a folder you made yourself — that you allow another person to also see in their own mail app. They get a copy of the same folder in their account; when new mail arrives in it, both of you see it. When one of you deletes a message, both of you see it gone. It is the same physical folder, viewed from two accounts.

A typical use is a team inbox. Say you have a folder called Sales under your Inbox where all the sales inquiries land. You can share it with two colleagues so that all three of you can read, file, and reply to those messages from your own mail app, without anyone having to forward anything or log in as somebody else.

This page lets you do four things:

• See which of your folders you've already shared, and with whom.
• Share another folder with another person in your organization.
• Stop sharing a folder.
• See which folders other people have shared with you.

You can only share with other mailbox users on the same domain. You can't share with someone at a different company, and you can't share a folder you don't own.

This page only exists for mailbox users, and only when your administrator has turned folder sharing on at the server. If sharing is off, the page tells you so and there's nothing else to do here.

What the page shows

The page is split into two cards.

My Shared Folders (top card). This is everything you have shared with other people. It shows:

• A short reminder of how shared folders work and where they appear in the recipient's mail app (under a Shared/ namespace).
• A note about Nextcloud Mail caching (covered below).
• A Share a Folder form with three fields: Folder Path, Share With, and Permissions.
• A table of your existing shares with one row per share:

Column	What it shows
Folder	The path of the folder you shared (for example, INBOX/Sales).
Shared With	The email address of the person you shared it with.
Permissions	Coloured badges — Read (green), Write (yellow), Delete (red) — showing what they can do.
Actions	A red Revoke button that stops the share.

If you haven't shared anything yet, the table is replaced with a short message.

Shared With Me (bottom card). This is everything other people have shared with you. It shows a short reminder about subscribing, and a table:

Column	What it shows
Owner	The email address of the person who shared it.
Folder	The path of their folder.
Permissions	The same Read / Write / Delete badges, showing what they let you do.

Note there is no Revoke button on this card. Only the person who owns the folder can stop a share. If a folder has been shared with you and you don't want to see it any more, ask the owner to revoke it, or unsubscribe from it in your mail app.

Sharing a folder

1. In the Folder Path field, pick a folder. The dropdown autocompletes from the list of folders that already exist in your mailbox — start typing and it will narrow the list. If the folder you want isn't there yet, you can also type a custom path (for example, INBOX/Projects/Acme) and it will accept it.
2. In the Share With field, pick the person to share with. The list is restricted to other mailbox users in your domain. If the dropdown is empty, you're the only mailbox user in your domain and there's no one to share with.
3. In Permissions, check the boxes for what the recipient should be able to do:
   • Read — they can see messages in the folder and read them. This is checked by default and is the minimum useful permission.
   • Write — they can move messages into the folder and mark messages as read.
   • Delete — they can delete messages from the folder. If you also gave Write, they can move messages out, which is effectively a delete from the folder's point of view.
4. Click the blue Share Folder button. The page reloads and the new share appears in the My Shared Folders table below.

Pick the lowest permission level that does the job. If the recipient only needs to see what's in the folder, leave it at Read. If they're meant to help you process the folder, give Write and Delete too.

Stopping a share

1. Find the row in the My Shared Folders table for the folder and person you want to stop sharing with.
2. Click the red Revoke button on the right.
3. A confirmation box appears asking "Are you sure you want to revoke this folder share?" — click OK to confirm or Cancel to back out.

The share is removed immediately. The next time the recipient's mail app refreshes, the folder disappears from their account. Their messages are not affected — the folder still exists in your mailbox, with everything in it. You've just taken the recipient's access away.

If you change your mind, you can share it again right away. Permissions and any earlier sharing arrangement are not remembered, so set the checkboxes again from scratch.

When someone shares a folder with you

If somebody shares one of their folders with you, it shows up in the Shared With Me card on this page right away. Seeing it in your mail app takes one more step, and the step depends on which mail app you use.

Nextcloud Mail (the built-in webmail). Nextcloud Mail caches its folder list once when the account is first set up, and it does not automatically pick up folders that are shared with you later. If a folder appears in your Shared With Me list but you don't see it in Nextcloud Mail, do this:

1. Open the webmail.
2. Go to Settings → Mail accounts.
3. Find your account and remove it.
4. Add it back using the same credentials.

That fresh setup re-reads your full folder tree from the server, and the shared folder will show up under a Shared/ heading along with the rest. You only have to do this when a new share is added; existing shares survive.

Thunderbird. Thunderbird sees shared folders the moment it refreshes its folder list. To refresh:

1. Right-click your account in the folder list on the left.
2. Choose Subscribe.
3. Click Refresh, tick the box next to the shared folder, and click OK.

The shared folder appears under a Shared/ heading.

Outlook (desktop). Right-click your account, choose IMAP Folders, click Query, then highlight the new shared folder and click Subscribe. The folder appears in your account's folder tree.

Apple Mail (iOS or macOS). Pull-to-refresh in the Mailboxes screen, or go to the account's mailbox list and tap Edit to confirm the new folder is ticked.

If the folder still doesn't show up after the refresh step for your app, double-check the Shared With Me card on this page — if the share isn't there, it was never created (or was already revoked). If the share is there but your mail app isn't showing it, repeat the refresh step; for Nextcloud Mail specifically, do the remove-and-re-add.

What this page does NOT do

A few things this page is not for:

• You can only share folders you own. You can't share somebody else's folder onward, and you can't share a folder that doesn't exist in your mailbox.
• You can only share within your organization. The Share With dropdown is limited to other mailbox users on your domain. There is no way to share with an external email address — for that, the right tool is forwarding (set up by the administrator) or simply copying the recipient on the original messages.
• Sharing is not forwarding. Both people see the same physical folder. There is no second copy, and messages are not duplicated. If the owner moves a message out of the folder, it disappears for everyone with access. If the owner deletes the folder entirely, the shares go with it.
• Shared permissions stop at the folder. Giving someone Read on your INBOX/Sales folder does not let them see your other folders, your account settings, or anything else. The permission is scoped to the one folder.
• No recursive sharing. Subfolders inside a shared folder are not automatically shared too. If you share INBOX/Projects and there's an INBOX/Projects/Acme subfolder, the recipient sees Projects but not Acme. Share the subfolder separately if you want them to see it.

Common scenarios

Sharing a team inbox with a colleague. You have an INBOX/Sales folder you use for incoming sales inquiries. Pick INBOX/Sales in the Folder Path dropdown, pick your colleague in the Share With dropdown, tick Read, Write, and Delete, and click Share Folder. Tell them to refresh their mail app (or, for Nextcloud Mail, remove and re-add their account) and they'll see the folder under Shared/ and can file, reply, and clean up alongside you.

Sharing a project folder with multiple people. Share the folder once with each person. Each person gets their own row in the My Shared Folders table, and each row can have different permissions if you want — for example, the project lead might get Read + Write + Delete, while a junior team member only gets Read.

Stopping a share when someone leaves the team. Go to the My Shared Folders table, find every row that lists the departing person in the Shared With column, and click Revoke on each one. They lose access immediately on their next mail-app refresh.

"I shared a folder but they say they can't see it." The most common cause is that they're using Nextcloud Mail and their folder list is cached. Walk them through removing and re-adding their account in Webmail → Settings → Mail accounts. If they're on Thunderbird or Outlook, walk them through the Subscribe step described above. If none of that works, check the My Shared Folders table on your end to confirm the share row is actually there with the right address spelled correctly.

Cleaning up old shares. Skim the My Shared Folders table every now and then. Anyone who no longer needs access to a folder you shared a while back should be revoked, both to keep the list manageable and as a basic hygiene measure.

Frequently asked questions

Can I share with someone outside the company? No. The Share With dropdown only contains other mailbox users on your own domain. If you need to send mail outside your organization, that's regular email — not a shared folder.

Can I share with someone who only has a relay account? No. Relay-only users have no mailbox here, so there's nothing for a shared folder to appear in on their end. Only mailbox users show up in the Share With dropdown.

What happens to the shared folder if I delete it? Deleting your own folder also removes everyone's access to it, because there's nothing left to share. Empty the folder first (or move its contents elsewhere) if you want to keep the messages.

Does the recipient see folders inside the shared folder? No. Sharing is per folder, not recursive. If you want them to see a subfolder too, share that subfolder separately.

Does sharing my Sent folder share my drafts too? No. Sent and Drafts are separate folders. Sharing one does not affect the other.

Can the recipient share the folder onward with someone else? No. Only the folder's owner can share it. If a third person also needs access, you have to share with them yourself.

The recipient said they can't see the folder in Nextcloud Mail. Why? Nextcloud Mail caches its folder list when the account is first set up and does not refresh it when new folders are shared later. They have to go to Webmail → Settings → Mail accounts, remove their account, and add it back. After the fresh setup the shared folder appears under Shared/. This is a known limitation of Nextcloud Mail, not something you've done wrong.

Where do shared folders appear in the recipient's mail app? Under a heading called Shared/, with one entry per share. The entry is named after the original folder path and the owner's address, so the recipient can tell who shared what.

If I give someone Write but not Delete, can they still move messages? They can move messages into the folder, and they can mark messages as read. Moving a message out of the folder is effectively a delete from the folder's point of view, so that takes the Delete permission.

Does the recipient see when new mail arrives in a shared folder? Yes, as soon as their mail app next refreshes that folder. Most apps poll every few minutes, so it's effectively live.

Where to next

• Mail Filters — sort incoming mail into folders automatically so the folder you eventually share is already populated and organized.
• My App Passwords — if a recipient is having trouble connecting their mail app at all, they'll need an app password first before any folder you share with them is reachable.
• Set Up Your Devices — step-by-step mobile setup wizards. Useful to send to a recipient who hasn't set up their mail app yet and needs to before they can see anything you share.

Vacation Auto-Reply

Vacation Auto-Reply

This is where you set up an automatic reply that goes out to people who email you while you're away.

The short version

A vacation auto-reply is a short message Hermes sends back automatically when mail arrives for you — to let the sender know you're not reading mail right now and when you'll be back. Most people set one up the day before they leave on vacation, fill in a start and end date, write a one-paragraph message, click Save, and then forget about it. Hermes turns it on at the start time, sends replies while you're away, and turns it off again at the end time.

You get a single Settings card on this page. From top to bottom you'll find a master on/off switch, a Subject and Message for the reply itself, an optional restriction on which of your addresses it should fire for, the dates and times when it should be active, and a couple of advanced toggles for unusual cases. There's a banner at the top of the page that tells you, at a glance, whether the auto-reply is currently active.

This page is mailbox users only. If you sign in as a relay-only user you'll see a "Not Available" notice instead.

What the page shows

At the top, a banner that reflects the current state of your auto-reply:

• Green banner — Auto-reply is currently ACTIVE. The auto-reply is turned on and right now is between your start and end dates. The banner tells you when it stops.
• Grey banner — Auto-reply is enabled but not currently active. You've turned it on, but the start date hasn't arrived yet (or the end date is already in the past). The banner explains which.
• No banner. The auto-reply is turned off.

Below that, the Settings card has these fields:

Field	What it does
Enable vacation auto-reply	The master switch. When off, none of the other fields matter — no replies will be sent.
Subject	The subject line of the reply that goes back to the sender. Required when enabled, up to 255 characters.
Message	The body of the reply. Plain text only. Required when enabled.
Reply only when message is addressed to	Optional. A multi-select of your primary address plus any aliases. Empty means reply to any message that reaches you. Pick one or more to restrict the auto-reply to only fire when mail is sent directly to those addresses (so for example you can auto-reply when someone writes to sales@ but not when you're just Cc'd on something else).
Start date and time	Optional. The exact moment the auto-reply starts. If left empty, the auto-reply is active from the moment you save.
End date and time	Optional. The exact moment the auto-reply stops. If left empty, the auto-reply stays active until you turn it off manually.
Reply interval (days)	How long to wait before replying to the same sender a second time. Default 7. See "How auto-reply decides whether to send" below.
Also reply to external senders	Off by default. When off, only people inside your own organization get an auto-reply. When on, anyone who emails you gets one — see the warning below.
Delete incoming messages while away	Off by default. When on, every message that triggered an auto-reply is also permanently deleted from your inbox. Use with care — see "Common scenarios" for when this might be appropriate.

When you're done, click Save Settings. The change takes effect immediately — Hermes regenerates your mail filtering script as part of the save.

Setting up an auto-reply

1. Turn on Enable vacation auto-reply at the top of the card.
2. Edit the Subject if the default ("Out of office") doesn't suit you.
3. Edit the Message body. Keep it short — three or four sentences is plenty. State that you're out, when you'll be back, and who to contact in the meantime if it's urgent.
4. Leave Reply only when message is addressed to empty unless you have a specific reason to restrict it.
5. Pick a Start date and time and an End date and time using the date/time pickers. You can leave either or both empty — see the next section for what that means.
6. Leave Reply interval (days) at 7 unless you have a reason to change it.
7. Leave Also reply to external senders and Delete incoming messages while away off unless you've read the warnings below and have a specific need.
8. Click Save Settings. You should see a green "Saved!" banner, and the banner at the top of the page should now show your auto-reply state.

That's it. You can close the page and forget about it — Hermes handles the rest.

Date scoping and timezone

Two things to know about how dates work on this page.

Start and end dates are inclusive and use date and time, not just date. The pickers are date-and-time pickers — you set the exact hour and minute the auto-reply starts and stops. This is more flexible than the on/off toggle you may have used on other systems: you can set it to start at 5:00 PM on a Friday and end at 8:00 AM on a Monday, and it will turn itself on and off at exactly those times. You don't have to remember to flip a switch.

Either date is optional. Leave them both empty and the auto-reply is active from the moment you save until you turn it off manually. Set just a start and the auto-reply runs from that moment until you turn it off. Set just an end and the auto-reply runs from now until that moment. Set both and you've defined a window.

All times use your mailbox timezone. The card shows a small banner that reads "Times below are interpreted in your timezone: ..." with your current timezone listed. So if it says America/New_York and you set an end time of 6:00 PM, the auto-reply stops at 6:00 PM Eastern, regardless of where in the world you actually are while you're away.

This matters if your timezone is wrong. If the banner shows a timezone that doesn't match where you live, click the Change timezone link in that banner — it takes you to Account Settings, where you can fix it. Otherwise your auto-reply could start hours earlier or later than you expect.

What recipients see

When someone emails you while the auto-reply is active, they get a separate reply email that comes from your address with the Subject and Message you set on this page. There's no "Auto:" prefix added — the subject is exactly what you typed.

The original message still lands in your mailbox normally (unless you've turned on Delete incoming messages while away, in which case it gets dropped after the reply is sent). The auto-reply does not get sent to you; it gets sent to whoever wrote to you.

Keep the message conversational and don't include sensitive information — anyone who emails your address will receive it, including people you don't know.

How auto-reply decides whether to send

A vacation responder that replied to every single incoming message would be a disaster — it would reply to mailing lists, bounce notifications, the daily newsletter, your colleague's "lunch?" question (five times if they emailed five times), and to other people's vacation auto-replies, sometimes creating endless loops. Hermes is more careful than that. A reply is only sent if all of the following are true:

• The auto-reply is enabled and the current time is between the start and end dates (if set).
• The sender hasn't already received an auto-reply from you in the last N days, where N is the Reply interval (days) value (default 7). So if Alice emails you on Monday and again on Wednesday, Alice gets one reply on Monday, not two.
• The message looks like personal mail, not bulk mail. Hermes uses the same checks as standard vacation responders: it skips mailing-list messages (anything with List-Id, List-Unsubscribe, or similar headers), bounce notifications, and messages with auto-submitted or precedence headers indicating they're machine-generated.
• If you set Reply only when message is addressed to, the message must be addressed directly to one of the addresses you picked — being Cc'd or Bcc'd doesn't count.
• If Also reply to external senders is off, the sender's address must be inside one of the domains your organization owns. External senders are silently skipped.

If any one of those is false, the message reaches your mailbox normally but no auto-reply is sent.

Common scenarios

Going on a 1-week vacation. Enable the auto-reply. Subject: "Out of office — back [date]". Message: a couple of sentences explaining when you'll return and who to contact for urgent matters. Start date: 5:00 PM the day you leave. End date: 8:00 AM the day you return. Reply interval: 7 days. Leave the rest at defaults. Save.

Half-day out of the office. Same as above, just with a shorter window — for example, start at 12:00 PM and end at 5:00 PM the same day. The date-and-time pickers handle this naturally.

Recurring weekly availability (e.g., out every Friday). This page doesn't support recurring schedules — you'd have to enable and disable it manually each week. For something this regular, consider whether a brief signature line in your normal mail ("Note: I don't reply to mail on Fridays") would do the job better.

Extending an active auto-reply. Come back to this page, change the End date and time to the new return date, and click Save Settings. The auto-reply stays active without interruption.

Out of the office and you don't want a pile of mail to deal with on return. Enable Delete incoming messages while away. Each sender still gets the auto-reply telling them you're out, but the original messages are permanently deleted from your inbox. Be careful here — this is irreversible, and if you forget to disable it when you come back, you will keep losing mail. Only use it if you're sure you don't need to read what comes in.

Frequently asked questions

Will my auto-reply fire when I'm Cc'd? Yes, by default — Hermes treats anything that reaches your mailbox the same way. If you don't want that, use Reply only when message is addressed to and pick just your primary address. Then only messages addressed directly to that address (not Cc or Bcc) trigger a reply.

Does it reply to internal mail or just external? By default, only internal senders (people inside your organization) get an auto-reply. External senders are silently skipped. If you want external senders to get a reply too, enable Also reply to external senders — but read the warning the page shows when you do. Confirming your address to spammers and announcing your absence publicly are both real risks.

What happens if I set the end date in the past? The auto-reply stays in the "enabled but not currently active" state, and the banner at the top of the page tells you the end date has passed. No replies are sent. To fix it, either update the dates or turn the auto-reply off entirely.

Can I delete the auto-reply instead of leaving an end date? The page doesn't have a Delete button — you turn the auto-reply off by unticking Enable vacation auto-reply and clicking Save Settings. Your subject, message, dates, and other settings are kept so you can re-enable them later without typing everything in again. If you really want to wipe the slate clean, blank out the subject, body, and dates before saving.

Why didn't a sender get my auto-reply? Most common causes, in order: they emailed you in the last N days (the reply interval) so they were skipped; their address is external and Also reply to external senders is off; their message looks like bulk or mailing-list mail; you set Reply only when message is addressed to and their message went to a different address; or your start or end date excludes the moment they emailed you. The banner at the top of the page tells you whether the auto-reply is active right now.

Does the auto-reply reply to itself if two people both have it on? No. Mail-system-generated messages (including vacation auto-replies) carry headers that mark them as auto-submitted, and Hermes' responder skips those.

Does the auto-reply reply to my own messages I send to myself? No — your own address is excluded from the auto-reply, the same way mailing lists and bots are.

Will senders get the auto-reply every time they email me, or just once? Once per Reply interval (days) period. With the default of 7, a sender who emails you five times during a week-long vacation gets exactly one auto-reply.

Can I include HTML or images in the message? No — the message is plain text only. It's intentionally simple: short, machine-readable, and friendly to every mail client.

The auto-reply is on but the banner says it isn't active. What's wrong? Either your start date is still in the future (the banner will say so), or your end date is already in the past (it'll say that too). Update the dates so "now" falls between them, or leave them both empty for an indefinite window.

I changed my timezone after setting up the auto-reply. Do my dates still mean the same thing? The wall-clock numbers (like "6:00 PM") stay the same, but they're now evaluated in your new timezone — so the absolute time shifts. Account Settings shows a warning about this when you change timezones with an active auto-reply. If you're not sure, come back to this page and double-check the dates.

Where to next

• Account Settings — set your timezone so auto-reply dates are interpreted correctly.
• Mail Filters — for more elaborate handling of incoming mail while you're away (auto-file, redirect, mark as read).
• Notification Settings — turn quarantine notifications off (or leave them on) for the period you're away.

Webmail & Apps

Webmail & Apps

This is the link in the sidebar that takes you into Hermes's web-based mail, calendar, contacts, and file storage — all in one place, with no second login to remember.

The short version

Click Webmail & Apps in the sidebar and a brief Connecting to Webmail... screen appears. A second or two later you land inside Nextcloud, the application Hermes uses for webmail and the other day-to-day apps. You're already signed in — Hermes has handed your identity over to Nextcloud behind the scenes, so you skip the login screen entirely.

Once you're in, you'll see a row of app icons across the top of the page. Four of them are the ones you'll use day to day: Mail, Files, Calendar, and Contacts. Click any of them to switch into that app. You can come back to this app row from anywhere in Nextcloud by clicking the Nextcloud logo in the top-left corner.

This sidebar entry is essentially a shortcut. It does the same thing as visiting your mail server's web address and signing in, except the sign-in part is already taken care of for you.

What you find inside

Mail. Webmail for your Hermes mailbox. Your primary account is already configured — when you open Mail for the first time, your Inbox is right there. You can read messages, reply, compose new mail, organize folders, and search. If you also want to read mail from another account (a personal Gmail address, for example), Nextcloud Mail can add it as an extra account, but it isn't required.

Files. Your private cloud storage. Upload, download, organize folders, and share files with other people in your organization. There's also a shared area for files other people in your organization have shared with you. Files you upload here are also available on your phone and computer if you install the Nextcloud client app (covered below).

Calendar. A personal calendar that lives on the server, so it shows up the same everywhere. You can create events, set reminders, and subscribe to other people's calendars if they share one with you. This calendar also syncs to your phone — see Set Up Your Devices for the connection details.

Contacts. A personal address book that syncs the same way. Contacts you add here can show up in the Phone or Mail app on your phone if you connect your device, so a number you save once on the web is on your phone the next time you open it.

Signing in (it just happens)

You don't need to enter a password when you click Webmail & Apps. You're already signed into the user portal, so Hermes hands your identity to Nextcloud automatically using single sign-on. From Nextcloud's point of view, Hermes has already confirmed who you are.

The very first time you visit, your Nextcloud account is created behind the scenes — this takes a moment longer than usual, but it's a one-time delay. From your second visit on, you go straight in.

If you ever sign out of Nextcloud explicitly (there's a Log out option under the user menu in the top-right corner inside Nextcloud), you can come straight back via this sidebar entry and you'll be signed in again automatically. Signing out of Nextcloud does not sign you out of the Hermes user portal, and signing out of the Hermes user portal does sign you out of Nextcloud the next time it asks the server.

About that "Connecting to Webmail..." screen

The brief spinner you see on the way in is doing real work, not just decoration. It's giving your browser a moment to set up the small piece of state that Nextcloud needs to recognise the sign-on hand-off cleanly, and then forwarding you to the right page. Normally it's gone in under a second. If you ever see it sit there for more than a few seconds without moving on, that's a sign the browser couldn't reach Nextcloud — refresh the page, and if it still hangs, let your administrator know.

Getting Nextcloud on your phone or laptop

Nextcloud has free desktop apps for Windows, Mac, and Linux, plus mobile apps for iPhone and Android. They sync your Files so they appear like a regular folder on your computer or in a regular app on your phone.

You can download them from the official Nextcloud download page:

https://nextcloud.com/install/#install-clients

To sign in on those apps, you'll need a server address and a username, and you'll either sign in through your browser when prompted (the easiest path on desktop) or paste an app password (the easiest path on mobile). See Set Up Your Devices for the exact server settings and My App Passwords for how to generate a credential the app can use.

Where to learn more

Nextcloud is a separate application with its own documentation. The four apps above each have a chapter that covers everything they can do in much more depth than makes sense to duplicate here. The official user manual is at:

https://docs.nextcloud.com/server/latest/user_manual/en/

If you want to know how to share a file with a link that expires in 7 days, how to set a calendar reminder to also send an email, how to import contacts from a vCard file, or any other in-app question, that's the place to look.

What this entry does NOT do

• It doesn't show you a new screen inside the Hermes user portal — it launches you out into a separate app (Nextcloud) in the same browser tab.
• It's not where you change your password, set up two-factor authentication, or create app passwords. Those live in Account Settings and My App Passwords in this user portal.
• It's not where you configure mail filters, your vacation reply, or sender allow/block lists. Those live in Mail Filters, Vacation / Auto-Reply, and Sender Filters.
• It's just a shortcut. Visiting Nextcloud directly at the URL your administrator gave you would land you in exactly the same place — this sidebar link only saves you from typing the URL and signing in again.

Common scenarios

First-time visit. Click Webmail & Apps. The connecting screen lasts a moment longer than usual because Hermes is creating your Nextcloud account on the fly. When the page settles, you'll be in Nextcloud's main view. Click Mail in the top app row to see your inbox.

Daily mail check. Click Webmail & Apps. By the time you've looked back at your screen, you're in. Click Mail. Your inbox loads.

Sharing a file with a colleague. Click Webmail & Apps, then Files in the top app row. Upload or open the file you want to share. Click the share icon next to the file, type the colleague's name or email address, choose whether they can view or also edit, and click Share. The colleague will see the file in their own Files app the next time they open it.

Adding the Nextcloud app on your phone. Install the Nextcloud mobile app from the App Store or Google Play. When it asks for the server address, enter the URL your administrator gave you for the mail server (the same one you use to reach this user portal). Sign in when prompted — for mobile, the cleanest approach is to use an app password from My App Passwords. Once it's connected, your Files appear like a regular folder on the phone, and you can save photos straight into them.

Sharing a calendar with a colleague. Open Webmail & Apps, click Calendar, hover over the calendar you want to share in the left-hand list, click the share icon that appears, and type the colleague's name or email. They'll see the shared calendar in their own Calendar app right away, and on their phone the next time it syncs.

Webmail & Apps takes me to a login screen — what happened? Usually this means your single sign-on session has expired (it happens after a long idle period) or you signed out of Nextcloud explicitly at some point. Sign in once with your normal email and password and you'll be back to one-click access from then on. If the login screen keeps coming back even right after signing in, see the FAQ below.

Frequently asked questions

Why does my username look strange inside Nextcloud? Nextcloud may show a long internal ID as your username (something like a UUID, or your email address with extra characters). That's normal — Hermes assigns Nextcloud a stable internal ID for each user so that renaming your email address later doesn't lose your files. Your display name (what other people see) is your real name and email, and that's what shows up on shared files, calendar invitations, and so on.

Can I use my own webmail instead? Yes. Webmail & Apps is one of several ways to reach your mail. You can also use any standards-based mail app — Apple Mail, Thunderbird, Outlook, K-9 on Android, and so on — by following Set Up Your Devices. The webmail in here is just convenient when you're at a browser and don't want to set anything up.

How do I sign out of Nextcloud? Click your user icon in the top-right corner of any Nextcloud page and choose Log out. You'll be signed out of Nextcloud but you'll stay signed into the Hermes user portal. To sign back in, click Webmail & Apps again — you'll go straight back in without typing a password.

Why doesn't a file I uploaded show up on my phone? If you uploaded a file in Nextcloud Files and don't see it in the Nextcloud mobile app, either the mobile app hasn't synced yet (pull down to refresh) or it isn't configured to sync the folder you uploaded into. The mobile app lets you choose which folders to keep locally and which to leave on the server. Check the app's settings.

Where do the calendars and contacts I create here live? On the Hermes server, in your Nextcloud account. They're available everywhere you sign into Nextcloud — webmail, the Nextcloud mobile app, and any CalDAV/CardDAV-compatible app you've connected (see Set Up Your Devices). They're not stored on any third-party service.

What if my administrator turned off Files, Calendar, or Contacts for my account? You may see fewer apps in the top row, or one of the apps may show a blank or restricted view. That's a server-level decision and isn't something you can change yourself. Contact your administrator if you need access to an app you don't see.

Webmail & Apps isn't in my sidebar — where is it? The entry only appears if your account is allowed to use Nextcloud. If it's missing entirely, your administrator hasn't enabled Webmail & Apps for your account. Contact them if you think you should have it.

I'm being asked to sign in to Nextcloud even after clicking Webmail & Apps. This usually points to a stale or expired sign-on session. Sign in once with your normal Hermes email and password. If it keeps prompting you on every visit, let your administrator know — there may be a configuration issue with single sign-on that they need to look at.

Will signing into Nextcloud from a phone or laptop app count as a separate sign-in? Yes. The Nextcloud mobile and desktop apps use an app password to sign in to your account, not single sign-on. That's why My App Passwords exists — each device gets its own credential, and you can revoke any one of them without affecting the others.

Where to next

• Set Up Your Devices — server settings and step-by-step instructions for connecting Nextcloud's mobile and desktop apps (and standard mail apps) to your account.
• My App Passwords — generate per-device credentials so the Nextcloud mobile app, mail apps, and calendar apps can sign in.
• Account Settings — change your main password and manage two-factor authentication. The same password and 2FA also protect Webmail & Apps, because Nextcloud trusts the user portal's sign-in.