Missing "Force 2FA enrollment at login" after creation of new mailbox template

[l-vanni]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

Checklist prior issue creation

• I understand that failure to follow below instructions may cause this issue to be closed.
• I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
• I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
• I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
• I confirm that I have reviewed previous issues to ensure this matter has not already been addressed.
• I confirm that my environment meets all prerequisite requirements as specified in the official documentation.

Description

After creating a new mailbox template, the field "Force 2FA enrollment at login" is missing from the UI. Additionally, when updating the template (e.g., enabling or disabling POP), the "force_tfa": 1 attribute is removed from the MySQL database. If the template is not updated, this setting works correctly.

Steps to reproduce:

Create new mailbox template
Set "Force 2FA enrollment at login" and save template
Edit template

Logs:

DATABASE: (table templates)
|  4 | test-tpl1 | mailbox | {"quota":0,"tags":"","tagged_mail_handler":"none","quarantine_notification":"never","quarantine_category":"reject","rl_frame":"s","rl_value":"10","force_pw_update":0,"sogo_access":1,"active":1,"tls_enforce_in":null,"tls_enforce_out":null,"imap_access":1,"pop3_access":0,"smtp_access":1,"sieve_access":1,"eas_access":0,"dav_access":0,"acl_spam_alias":0,"acl_tls_policy":0,"acl_spam_score":0,"acl_spam_policy":0,"acl_delimiter_action":0,"acl_syncjobs":0,"acl_eas_reset":1,"acl_sogo_profile_reset":0,"acl_pushover":0,"acl_quarantine":1,"acl_quarantine_attachments":1,"acl_quarantine_notification":0,"acl_quarantine_category":0,"acl_app_passwds":0,"acl_pw_reset":0}       
|  4 | test-tpl2 | mailbox | {"quota":0,"tags":"","tagged_mail_handler":"none","quarantine_notification":"never","quarantine_category":"reject","rl_frame":"s","rl_value":"10","force_pw_update":0,"force_tfa":1,"sogo_access":1,"active":1,"tls_enforce_in":null,"tls_enforce_out":null,"imap_access":1,"pop3_access":0,"smtp_access":1,"sieve_access":1,"eas_access":0,"dav_access":0,"acl_spam_alias":0,"acl_tls_policy":0,"acl_spam_score":0,"acl_spam_policy":0,"acl_delimiter_action":0,"acl_syncjobs":0,"acl_eas_reset":1,"acl_sogo_profile_reset":0,"acl_pushover":0,"acl_quarantine":1,"acl_quarantine_attachments":1,"acl_quarantine_notification":0,"acl_quarantine_category":0,"acl_app_passwds":0,"acl_pw_reset":0}

Which branch are you using?

master (stable)

Which architecture are you using?

x86_64

Operating System:

AlmaLinux release 10.1 (Heliotrope Lion)

Server/VM specifications:

24G/8c

Is Apparmor, SELinux or similar active?

yes

Virtualization technology:

ESXi

Docker version:

29.4.1

docker-compose version or docker compose version:

5.1.3

mailcow version:

2026-03b

Reverse proxy:

none

Logs of git diff:

Logs of iptables -L -vn:

n.d.

Logs of ip6tables -L -vn:

n.d.

Logs of iptables -L -vn -t nat:

n.d.

Logs of ip6tables -L -vn -t nat:

n.d.

DNS check:

n.d.