Hello,
for the login as part, setting this in mailcow.conf is the optimal solution:
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
Admins can still log into the mailcow UI and help users set up anti-spam rules or similar, but they can no longer access the users’ mailboxes via SOGo. This applies to all admins. If there’s a legitimate reason to access someone’s mail, the admin can just reset that user’s password.
As for the rest of the password change restrictions, I don’t think it’s possible with mailcow as it stands, unless you build your own UI on top of the mailcow API and enforce your own ruleset there (maybe ?).
Another option could be to use an external identity provider (IdP), which gives you finer-grained access control than mailcow does. In that setup, no one in mailcow can change a user’s password, since authentication happens elsewhere. I don’t use an IdP myself, so I can’t confirm how well this works in practice or if some IdP allow this level of control.