diff --git a/internal/tui/account.go b/internal/tui/account.go
index f25b33c..9c974a4 100644
--- a/internal/tui/account.go
+++ b/internal/tui/account.go
@@ -24,7 +24,7 @@ type Fields struct {
 	SMTPHost, SMTPPort, SMTPSecurity          string
 	Username, Password                        string
 	FromAddress                               string
-	WhitelistIn, WhitelistOut, ProcessBacklog bool
+	ProcessBacklog bool
 	SubjectRegex                              string
 }
 
@@ -90,7 +90,6 @@ func (f Fields) ToAccount() (store.Account, bool) {
 		IMAPHost: f.IMAPHost, IMAPPort: ip, IMAPSecurity: f.IMAPSecurity,
 		AuthType: "password", Username: f.Username, Password: f.Password,
 		FromAddress: f.FromAddress,
-		WhitelistInEnabled: f.WhitelistIn, WhitelistOutEnabled: f.WhitelistOut,
 		SubjectRegex: f.SubjectRegex, ProcessBacklog: f.ProcessBacklog,
 	}
 	if f.Mode == "RW" {
@@ -116,8 +115,6 @@ func FieldsFromAccount(a store.Account) Fields {
 		SMTPHost: a.SMTPHost, SMTPPort: itoaPort(a.SMTPPort), SMTPSecurity: a.SMTPSecurity,
 		Username:    a.Username,
 		FromAddress: a.FromAddress,
-		WhitelistIn:    a.WhitelistInEnabled,
-		WhitelistOut:   a.WhitelistOutEnabled,
 		ProcessBacklog: a.ProcessBacklog,
 		SubjectRegex:   a.SubjectRegex,
 	}
@@ -144,8 +141,6 @@ var fieldDefs = []fieldDef{
 	{key: "username", label: "Username"},
 	{key: "from_address", label: "From address (optional)"},
 	{key: "password", label: "Password", password: true},
-	{key: "whitelist_in", label: "Whitelist inbound (y/n)", isBool: true},
-	{key: "whitelist_out", label: "Whitelist outbound (y/n)", isBool: true},
 	{key: "process_backlog", label: "Process backlog (y/n)", isBool: true},
 	{key: "subject_regex", label: "Subject regex (optional)"},
 }
@@ -189,10 +184,6 @@ func fieldValue(f Fields, key string) string {
 		return f.FromAddress
 	case "password":
 		return f.Password
-	case "whitelist_in":
-		return boolStr(f.WhitelistIn)
-	case "whitelist_out":
-		return boolStr(f.WhitelistOut)
 	case "process_backlog":
 		return boolStr(f.ProcessBacklog)
 	case "subject_regex":
@@ -276,10 +267,6 @@ func (m AccountForm) collect() Fields {
 			f.FromAddress = v
 		case "password":
 			f.Password = m.inputs[i].Value() // do not trim a password
-		case "whitelist_in":
-			f.WhitelistIn = parseBool(v)
-		case "whitelist_out":
-			f.WhitelistOut = parseBool(v)
 		case "process_backlog":
 			f.ProcessBacklog = parseBool(v)
 		case "subject_regex":
diff --git a/internal/tui/account_test.go b/internal/tui/account_test.go
index 2e46e60..7e1d288 100644
--- a/internal/tui/account_test.go
+++ b/internal/tui/account_test.go
@@ -1,6 +1,7 @@
 package tui
 
 import (
+	"strings"
 	"testing"
 
 	tea "github.com/charmbracelet/bubbletea"
@@ -69,7 +70,6 @@ func TestFieldsValidateRWNeedsSMTP(t *testing.T) {
 
 func TestFieldsToAccount(t *testing.T) {
 	f := validFields()
-	f.WhitelistIn = true
 	f.SubjectRegex = "^urgent"
 	acc, pwSet := f.ToAccount()
 	if !pwSet {
@@ -78,9 +78,12 @@ func TestFieldsToAccount(t *testing.T) {
 	if acc.Name != "work" || acc.Mode != "RW" || acc.IMAPPort != 993 || acc.SMTPPort != 465 {
 		t.Fatalf("account not assembled: %+v", acc)
 	}
-	if acc.AuthType != "password" || !acc.WhitelistInEnabled || acc.SubjectRegex != "^urgent" {
+	if acc.AuthType != "password" || acc.SubjectRegex != "^urgent" {
 		t.Fatalf("account flags wrong: %+v", acc)
 	}
+	if acc.WhitelistInEnabled || acc.WhitelistOutEnabled {
+		t.Fatal("new accounts must have whitelist flags false (managed via whitelist group)")
+	}
 	if acc.Password != "pw" {
 		t.Fatalf("password not carried: %q", acc.Password)
 	}
@@ -99,10 +102,10 @@ func TestFieldsFromAccountRoundTrip(t *testing.T) {
 	a := store.Account{
 		Name: "g", Mode: "RW", IMAPHost: "i", IMAPPort: 993, IMAPSecurity: "tls",
 		SMTPHost: "s", SMTPPort: 587, SMTPSecurity: "starttls",
-		Username: "u@x.com", WhitelistOutEnabled: true, SubjectRegex: "re:",
+		Username: "u@x.com", SubjectRegex: "re:",
 	}
 	f := FieldsFromAccount(a)
-	if f.Name != "g" || f.IMAPPort != "993" || f.SMTPPort != "587" || !f.WhitelistOut || f.SubjectRegex != "re:" {
+	if f.Name != "g" || f.IMAPPort != "993" || f.SMTPPort != "587" || f.SubjectRegex != "re:" {
 		t.Fatalf("FieldsFromAccount wrong: %+v", f)
 	}
 	// Password is never read back from an account.
@@ -190,3 +193,11 @@ func TestFieldsFromToAccountCarriesFromAddress(t *testing.T) {
 		t.Fatalf("FieldsFromAccount lost FromAddress: %q", back.FromAddress)
 	}
 }
+
+func TestFormHasNoWhitelistFields(t *testing.T) {
+	f := NewAccountForm(Fields{}, false)
+	out := f.View()
+	if strings.Contains(strings.ToLower(out), "whitelist") {
+		t.Fatalf("account form must not mention whitelists:\n%s", out)
+	}
+}