6
Password brute force protection on the webmail
Question asked by Charles Michel - December 17, 2016 at 2:59 AM
Answered
I can see that there are settings to protect Smartermail against a brute force attack on various protocols (smtp, imap, etc). But I do not see the webmail or activesync in the list. What is the brute force protection for either of these two interfaces?

4 Replies

Reply to Thread
0
Charles Michel Replied
December 20, 2016 at 1:47 AM
Adding his comment just so that the question doesn't go unnoticed. I have a server under brute force attack, I would like to know that Smartermail doesn't let users try passwords indefinitely on the webmail and activesync interfaces.
1
eswanzey Replied
December 20, 2016 at 7:32 PM
My understanding is that webmail's brute force protection is enabled by default via the web.config file, even though you don't see it being reported in the admin interface. You can review that file to see what limits are being imposed. You can of course alter it to your liking by editing the web.config file, though it will be overwritten on every update.
 
I'm not sure what you would expect in "protecting" activesync from some sort of brute force attack. That doesn't make sense to me because it is simply a feature addition to an account and I think that you are overthinking things on that item.
2
David Fisher Replied
January 5 at 10:22 AM
Just wanted to update people following this thread, I have opened a ticket up with SmarterTools support, and verified with support that this is something that is not being logged.  The support rep will be meeting with the development team to find out why it is not being logged.
 
Will update you when I find more information out.
 
Thanks,
-dave
1
David Fisher Replied
January 9 at 10:33 AM
Hi All,
 
  Here is an update, support got back to me this morning, after meeting with the developers.  They said this would be a "feature request", and not a bug, so they will file it with them to eventually add this type of logging into SmarterMail at a future date.
 
  Guess lack of logging is not considered a bug.  Just a security issue, but not a bug :)
 
-dave
 

Reply to Thread