What's the difference? ForgotPassword.BruteForce vs Login.BruteForce
Question asked by Information Technology - 5/22/2018 at 9:43 AM
We have an issue where a single user logging in to the web interface triggers the BruteForce policy consequently blocking the entire network.
I've found that this is a setting that can be changed in the Web.config.
However, what is the difference between ForgotPassword.BruteForce and Login.BruteForce? Will either of these options stop the entire network from being blocked when a single user fails to use the correct password?
I may need to propose this idea but I think Smartermail should have some logic built in where a user will get locked out when only a single user failed to login x number of times. But if multiple email accounts from the same location are used and fail to login within x amount of time then the IP address gets blocked. And x number of attempts using invalid email accounts should probably block the IP address as well.

4 Replies

Reply to Thread
We are using the default settings in the Web.config file. We had a user trigger brute force policy for webmail login. Now the policy is being triggered every 5 login failures instead of the configured 10.
Does anyone know if this is expected behavior?
Employee Replied
Employee Post Marked As Answer
In SmarterMail 16 these settings have been moved to the mailConfig.xml, the settings in the web.config no longer apply. The default in the mailConfig.xml is 5 failures before a block, which is why blocks were occurring sooner than the web.config specified.
As for your suggestion on doing brute force blocking by email as well as IP, we've actually already added this feature into SmarterMail 17, and it will be included upon release!
Ryan Wittenauer Replied
Which one really controls this? I still see the setting in the web.config, but I see nothing in the mailconfig.xml file. The one in the web.config is wrong, it's set to 10 as a threshold and it seems to be blocking at 5.

Where is the correct location to change this?
In SM 16 the settings are in mailConfig.xml. It is <BruteForceSettings> around line 888. During minor version updates this setting is reverted and must be modified each time.

Reply to Thread