Change the Login Attempts in SmarterMail

For security purposes, SmarterMail limits the number of times a user can attempt to log in without success. By default, users are temporarily locked out of their account after 10 failed login attempts and will remain locked out for five minutes. System administrators can alter these settings by editing the web.config file.

Applies to SmarterMail 9.x - 15.x

Follow these steps to edit these settings:

  1. Open the web.config file in Notepad. By default, this file can be found in C:\Program Files\SmarterTools\SmarterMail\MRS.
  2. To edit the number of attempts before block, look for this line of code:
    <add key="ForgotPassword.BruteForceDetection.TriesBeforeBlock" value="10"/>
  3. Edit the value to reflect the number of failed attempts the user can make before the block is implemented.
  4. To edit the block time, look for this line of code:
    <add key="Login.BruteForceDetection.BlockTime" value="5"/>
  5. Edit the value to reflect the amount of time, in minutes, that the block is maintained.

For more information about SmarterMail, please refer to the SmarterMail Online Help.

 

Learn more about using SmarterMail for your email accounts and company-wide instant messenger.

Feedback

Add Feedback
Why isn't this setting in the "Security > Advanced Settings > Abuse Detection" section of SmarterMail? Editing the web.config file would have to be REPEATED every time a simple upgrade is installed!
Virgil Turner (February 20, 2014 at 12:15 PM)
Thanks, Virgil. I'll pass along the suggestion.
Derek Curtis (February 20, 2014 at 12:20 PM)
What is this blocking? IP ADDRESS? USER?

It seems to block ANYONE from logging in on that IP ADDRESS. After a block occurs, I can log that same user in on another computer with no problem. I cannot log anyone in on the original "blocked" computer after the block.

Why would you block the IP ADDRESS instead of the user? This so called "feature" is totally useless.

1) Can you fix it?
2) Please put it in the Abuse Detection settings where it should be.
3) Make a way for the admin user to Unblock (which doesn't seem to be documented anywhere).

Brian Arlinghaus (January 2, 2015 at 1:09 PM)
Thank you, Brian, for bringing this up. Currently, it is by design that we block the IP ADDRESS. To view the list of blocked IP ADDRESSes navigate to Manage | Current IDS Blocks. I can see the validity of blocking by USERs into the webmail interface. Therefore, I've added this to our features request list for further consideration by the dev. team. Additionally, if implemented, we will add a page to list blocked users.
Robert Emmett (January 5, 2015 at 8:55 AM)
Hi,

It's not implemented yet ?

Jean-Guy Dubois (May 7, 2015 at 7:32 AM)
August 18 2015, Still not implemented yet. Back to back upgrades from 8-13 and 8-14.
Once again, Why isn't this setting in the "Security > Advanced Settings > Abuse Detection" section of SmarterMail?

niceguystaug (August 18, 2015 at 6:42 AM)
Hi

When will you configure to block the user instead of IP ADDRESS? This so called "feature" is totally useless if using the IP address because Admin will also be block if using this IP Address.

Please Help???

Thanks in advance

Api Lion (December 7, 2015 at 11:33 PM)
Hi Api! Thank you for your request. I've passed this along to our development team. While I can't guarantee this functionality will be adjusted to cover blocking the user rather than IP address, I will be sure it's brought to their attention. Thanks!
Andrea Rogers (December 9, 2015 at 8:19 AM)
The primary reason to block IP rather than user is that in doing so you do not slow down hackers, but only hurt your users.

Take two seconds to actually think about this and not be knee jerk in your reaction that SmarterTools got it wrong. If you block by user, your legitimate users get blocked if they forget their password and try too many times. If a hacker is using a brute force script, the script is going to try several common usernames. You just gave them exponentially more tries at getting into your server.

That said. I have found and can confirm that web login blocks are not showing up in my IDS Blocks and I have to wait for the timeout. This is a problem.

John Reid (October 19, 2016 at 6:41 AM)
Hi John, thanks for your reply! I inquired about this, and the web login blocks are not actually programmed to appear in the IDS Blocks list. This has been added to our list of feature requests for a possible inclusion in the future. If you would like to create a thread to Propose an Idea in order to facilitate tracking on this request, please do so at the Community! Thank you!!
Andrea Rogers (October 19, 2016 at 1:29 PM)

Add Feedback