This seems like a tangled knot of desired separation running into password reuse across many services.
which means you could probably get their “linked to many services” password, but you’re not authorized. Question also arises of who typed in their password originally. You’d like it to be the user if it can’t be you.
Way 1 also probably puts more work on you, e.g. for file restore. Are you authorized to access their files?
Way 2 is presumably where mail uses your chosen password. There are other ways to get reporting out.
Reporting options is the base, and we’re talking mail, but http is also possible using free or paid services.
Duplicati Monitoring is a third party donation supported service.
Introducing the Duplicati Portal: Your New Hub for Cloud-Based Backup Monitoring and Management
is an emerging freemium service from Duplicati Inc. that seems ambitious. I’m not sure if does email yet.
Way 3 might also be implemented with an email server that doesn’t need a login. This was once common with corporate email servers that would accept emails from the company network.Possibly this is less so currently, or perhaps your users are remote (which raises other questions if you must remote administer).
Or if no login is not possible, one with an email login where credentials are email-only might be acceptable. Typically email servers offer some logging, I believe, so anyone abusing the emailing can maybe be found.
How would this help anybody or anything? Mail service may want a password. User likely won’t know hash.
Simplest way is to not email. Use some http notification plus software. Some people even write their own.
Example Scripts shows how options can be set from a script, e.g. from a file where user types password, however the trick would be how to securely protect the password from being too easily seen, even by you.
If you want to explore other ways to submit email, please contact your email server admin. We don’t know.
Does user have administrator privileges on their computer? Which system account will Duplicati be using?
Is this an Active Directory domain? That might have other ways, but you’d need to talk to that administrator.
Basically, even without Duplicati, is there a way on a system to keep them out of your stuff and vice versa?