If you believe the security of the device you are whitelisting is in good shape this shouldn't be a concern, but any compromise on the whitelisted device/network will not be caught by the IDS at that point due to the whitelisting. So it is "safe" so long as the device or network you're whitelisting is "safe" but I do recommend monitoring reports to look for changes in behavior as these could point out compromised environments that wouldn't be caught otherwise due to the whitelisting. 

As I thought.

I do have a few clients who send out notifications of forum posts, mailshots, etc. Could this be seen as an issue and why it's IDSing the IP?

It's a shame I can't set an IDS rule based on IP as well as a general one, I assume I can't?

That is definitely possible depending on the sending behavior. Maybe instead of unloading these messages in one session they're authenticating over and over again to send separate messages and this is being seen as a Denial of Service attack or something along those lines.

You can't set IP-specific IDS rules but can likely accomplish the same using a combination of approaches. I'd recommend monitoring reports for a couple of weeks to see what kind of throughput is coming from those IP addresses when the IDS is triggered, then set a domain/user throttle up to keep them just under that limit. This way you're not whitelisting them, but shouldn't be blocking them anymore either. 

If you've modified your IDS rules from the defaults you could try noting the current settings and then reverting to the defaults to see if you have better luck as well. I typically recommend stricter IDS rules to keep things secure, but that means we either have to educate the users on proper sending habits, or control that for them so they don't trip up those security systems.

I hope that helps! If you need a hand please don't hesitate to submit a ticket. 

Thanks Kyle,

The IP address is the mail server that Smartermail is on (the same IP as the web server), as the emails are sent from a trigger and sent to all the people who have asked to be notified of a post.

I've looked at throttling and that throttles the emails that are sent out but not the connections, which is what's blocking us.

So the throttling offers: "messages / hour", "bandwidth / hour", "bounces / hour"

The IDS rule that's being triggered is the DOS rule which is based on "connections before block"

Unless i'm misunderstanding this?

Or is "messages / hour" the same as "connections" ?

PS. Just found this in your help documentation "It is recommended that you whitelist any trusted IP addresses that may send out large mailing lists or make many connections if you enable this option."