Locked/Disabled account are not completely disabled/locked

Normally, when we disable/lock an account, everything is blocked.

I have seen that the user mailbox is not disabled/locked when an user is disabled/locked.

For a perfect security, the account must be completely disabled/locked.

Of course, when the user is disabled/locked, it must hidden from address book too.

Imagine this scenario, one of your employee has been fired, so you disable the account because you still want to receive the emails of your customers.

@stephdl: With this case, an employee left the company, we can create an alias to his replacement.
I have not said that the account must to be removed.
And this alias must not be in the address book (by default).

Does this mean that you can still log in to the mailbox (which would be a bug, IMO), or that the mailbox still receives mail (which wouldn’t)?


But the sender has not an automatic message from the server that user does not exist or user blocked…

If you need to block everything the choice is the account deletion. The lock/unlock generally prevents logging in; we’re discussing also how to delete its data: Change (or not) the user's data deletion policy

The solution is not to remove the account…

When the user is blocked, it is possible to send an automatic message to sender with the good error?

It is done by other systems.

This isn’t a bug, IMO. The user does exist, and it isn’t necessarily a sender’s business to know that the user’s blocked. Having an option to do so would be good (and I think it’s already there), but I wouldn’t at all agree with this being the default behavior.

Can you add new status?

The following account statuses can be set:
• Active. Active is the normal status for a mailbox account. Mail is delivered and users can log into the client interface.
• Maintenance. When a mailbox status is set to maintenance, login is disabled, and mail addressed to the account is queued at the MTA. An account can be set to maintenance mode for backing up, importing or restoring the mailbox.
• Locked. When a mailbox status is locked, the user cannot log in, but mail is still delivered to the account. The locked status can be set, if you suspect that a mail account has been hacked or is being used in an unauthorized manner.
• Closed. When a mailbox status is closed, the login is disabled, and messages are bounced. This status is used to soft-delete an account before deleting it from the server.