Back to Community Threads
IDS Blocking server IP
Question asked by YS Tech - 2/27/2024 at 3:51 AM
Unanswered
I am currently having an issue with my mail server IP being blocked by the IDS rules.
Is it safe to put this IP in the Whitelist area so it doesn't get blocked?
Kyle Kerst Replied
2/27/2024 at 6:35 AM
Employee Post
If you believe the security of the device you are whitelisting is in good shape this shouldn't be a concern, but any compromise on the whitelisted device/network will not be caught by the IDS at that point due to the whitelisting. So it is "safe" so long as the device or network you're whitelisting is "safe" but I do recommend monitoring reports to look for changes in behavior as these could point out compromised environments that wouldn't be caught otherwise due to the whitelisting. 
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
YS Tech Replied
2/27/2024 at 7:28 AM
As I thought.
I do have a few clients who send out notifications of forum posts, mailshots, etc. Could this be seen as an issue and why it's IDSing the IP?
It's a shame I can't set an IDS rule based on IP as well as a general one, I assume I can't?
Kyle Kerst Replied
2/27/2024 at 11:50 AM
Employee Post
That is definitely possible depending on the sending behavior. Maybe instead of unloading these messages in one session they're authenticating over and over again to send separate messages and this is being seen as a Denial of Service attack or something along those lines.

You can't set IP-specific IDS rules but can likely accomplish the same using a combination of approaches. I'd recommend monitoring reports for a couple of weeks to see what kind of throughput is coming from those IP addresses when the IDS is triggered, then set a domain/user throttle up to keep them just under that limit. This way you're not whitelisting them, but shouldn't be blocking them anymore either. 

If you've modified your IDS rules from the defaults you could try noting the current settings and then reverting to the defaults to see if you have better luck as well. I typically recommend stricter IDS rules to keep things secure, but that means we either have to educate the users on proper sending habits, or control that for them so they don't trip up those security systems.

I hope that helps! If you need a hand please don't hesitate to submit a ticket. 
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
YS Tech Replied
2/27/2024 at 2:44 PM
Thanks Kyle,
The IP address is the mail server that Smartermail is on (the same IP as the web server), as the emails are sent from a trigger and sent to all the people who have asked to be notified of a post.
I've looked at throttling and that throttles the emails that are sent out but not the connections, which is what's blocking us.
So the throttling offers: "messages / hour", "bandwidth / hour", "bounces / hour"
The IDS rule that's being triggered is the DOS rule which is based on "connections before block"
Unless i'm misunderstanding this?
Or is "messages / hour" the same as "connections" ?

PS. Just found this in your help documentation "It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists or make many connections if you enable this option."
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Windows Firewall Allow Rule for SmarterMailSmarterMail > Server Configuration and Management