Great answers, Bruce. Just to provide further clarification:
Auto-block Grace Period
- What is this?
RESPONSE: The number of days at which the user will be notified that his or her password may be changed.
CLARIFICATION: This field ties in with "Disable outgoing SMTP when auto-block grace period ends". If that is checked, then after the grace period the account(s) that violate the password policies will have their outgoing SMTP auto-blocked until the password is changed and is compliant. The "User Notification Timing" is send the violating users emails on the specified days before the auto-grace period ends.
Require password does not match username
- Will this not only match say john@ but also an mail forward of jane@?
- Can we also get this to make all of the aliases as invalid as well?
RESPONSE: I would hope that this means that the user cannot use any portion of their username in the password, but SmarterTools will have to weigh in on this one.
CLARIFICATION: Currently, if enabled, the password cannot match the username; email@example.com would not be able to use john as his password; however, john1 would still be accepted.
Disable password strength for existing passwords
- What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
RESPONSE: They will be prompted to change their password only if they use the web interface to login. You can also run a report of non-compliment passwords and send them e-mail messages warning them of their non-compliance. We usually do this a couple of times before we change it for them and force them to use the web interface to change their password.
CLARIFICATION: Simply stated, existing passwords would be "exempt" from new password requirements.
Disable outgoing messages for accounts violating password requirements
- Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
RESPONSE: SmarterMail needs to weigh in on this one.
CLARIFICATION: This option will be removed in the next minor update; its functionality was replaced by auto-block grace period.
Prevent commonly used passwords
- What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
- Speaking of companies can this be set on a per-domain basis for a custom list?
RESPONSE: Not stated anywhere. I would be very careful about setting any password requirements up for a company-by-company basis. Remember, the server operator, per case law, is ultimately responsible for what happens with the user accounts on their servers and I only see this getting more restrictive.
CLARIFICATION: There is an XML file containing these commonly used passwords. It's default location is "C:\Program Files (x86)\SmarterTools\SmarterMail\Service\common_passwords.xml". You can add to this dictionary. If removed, SM will rebuild the file with the default built-in common passwords.
As for disabling any word found in the dictionary, that would be a feature request. Requiring passwords to use uppercase, lowercase, numbers, and symbols somewhat makes it a moot point at this time.
Disable outgoing SMTP when auto-block grace period ends
- What is this?
RESPONSE: All outgoing mail for the user who's password has expired will fail until they change their password. I really like this one.
CLARIFICATION: Works in conjunction with auto-block grace period. If you fail to change your password within the grace period, outgoing SMTP will be blocked when the grace period ends.
Also note that the "User Notification Timing" also works with the password expiration option. The user will be notified via E-mail xx days (as specified in that field) before their password expires. If the password expires, they will not be able to send outgoing mail until the password is changed.