Back to Community Threads
2
Webmail Brute Force Defaults & Settings
Question asked by They Call Me Matt - 4/23/2018 at 5:12 PM
Answered
I'm aware that 3 1/2 months ago the settings for this were moved from web.config over to mailConfig.xml, and this is definitely something nice to have, however it only took less than 12 hours before a client locked out their entire organization from webmail using the default settings.

1) Since you are basing this on IP and not on the account being logged into, a default setting of 5 attempts is absolutely not a good default.

2) Why isn't this configurable in the IDS interface yet???

3) Why is this based on IP and not on the account being logged into?

Again, I appreciate that this was added, but the implementation has shortcomings, and it causes more real world problems than it solves out of the box as is.

1 Reply

Reply to Thread
0
Employee Replied
4/24/2018 at 9:49 AM
Employee Post Marked As Answer
Matthew, thank you for posting.  In SmarterMail 16, you can modify the mailConfig.xml and change the <LoginRetries> element to a higher number that better suits your environment.  A similar element is <LoginTimeout> which determines the block duration.
 
Regarding your second and third points, these have been already added to the SmarterMail 17 interface.  The value is configurable in the IDS blocks and it can be configured to block either by IP or by account.  We have kept the by IP to prevent attackers from attempting on all possible accounts.
 
I hope this helps,
Robert
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Force Webmail Traffic Over HTTPSSmarterMail > Server Configuration and Management
Setting Up Two-Step Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Customizing SmarterMail's Webmail InterfaceSmarterMail > Installation and Configuration
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Set up SmarterMail as an IIS Site in IIS 10SmarterMail > Server Configuration and Management