Hi and welcome,
in server manager, under remote access, you need to add a remote management network. This should be the public IP/Netmask of the user that want's to change the password. Once the password has changed, you want to remove the remote management IP again.
This is one of the default security features of SME Server.