An "anonymous" user is anyone who has logged in and then logged out, or attempted to login and failed in that attempt.
Anonymous users are not logged in and have no access to the mail server.
While you cannot eliminate anonymous users altogether, there are several things you can do to help to protect your server from being hacked via "brute force password' and "SMTP harvesting" by setting triggers to limit the number of times an IP address attempts to login.
Here's how we have our protections setup:
The TIME FRAME is in seconds.
The COUNT is the total number of attempts within the time frame
The BLOCK TIME is the amount of time, in minutes, for which the block will be implemented. By blocking for 60,000 minutes, we are, effectively, creating a permanent block against the IP address from which the attack originated.
NOTE THAT ALL BLOCKS ARE RESET (REMOVED) BY SERVER REBOOTS or SMARTERMAIL SERVER BOUNCES!
While these issues will not specifically address the attempts by those who might seek to initiate an attack via the web login, they will mitigate theft of passwords via other means and help secure your SmarterMail server.
You can also make certain you are running SmarterMail under IIS, and not the built-in SmarterMail webserver, and implement SSL/TLS. User's who configure their clients to use SSL or TLS; along with those user who access the web interface via the secure HTTPS interface, will be sending encrypted data, vs plain text data where no encryption is present.