Back to Community Threads
IDS Rules Default Settings
Problem reported by Bill T - 1/22/2026 at 10:10 PM
Submitted
B
Just checked our IDS rules earlier today and noticed we were still on defaults and the defaults are very gentle.

Are people using the defaults or are you lowering the thresholds and increasing the block times? I'm wondering if maybe I just wasn't paying attention.

We lowered the thresholds and increased the block times substantially today and haven't gotten any tickets yet, so likely will push them even more tomorrow. With our VOIP systems we block IP addresses for weeks or months or even years sometimes if they try to brute force us. I feel like it's worth it to have a few more support tickets then to risk these brute force attacks catching a user with a horrible weak password. 
J
J. LaDow Replied
1/22/2026 at 10:22 PM
This is what we use - not OEM -- right-click/long-tap and view the image in a new tab / window so the forum doesn't down-scale it --

On top of this, our IDS scans the server logs and any IP that gets caught trying to break into an account is DQ'd 90 days. Same for offensive hosts.
MailEnable survivor / convert --
M
Mark Johnson Replied
1/22/2026 at 10:33 PM
here's ours, not sure how default they are?
how do they compare
any suggested improvements?
Sabatino Replied
1/23/2026 at 1:17 AM
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Gabriele Maoret - SERSIS Replied
1/23/2026 at 4:19 AM
My settings:
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
B
Bill T Replied
1/23/2026 at 1:30 PM
Looks like we are on the right track lowering the thresholds and especially increasing the block times. The defaults are very light.  I'm assuming the reason they are short times is because sometimes a user will change a password but not update their desktop or mobile client so it will repeatedly try to login with the old credentials and eventually get themselves blacklisted. Maybe as an enhancement they could have two sets of rules, one for Password Brute Force with Different Username/Passwords and one for just repeated attempts with the same username/password which would usually be the more innocent case and have lighter block times.
Rod Strumbel Replied
1/26/2026 at 8:21 AM
I believe the short time-frames are because of Dynamic DNS, the users are rotating off the violating IP and someone else is likely getting it who was not the bad actor.   We permanently block anything overseas (we are US based) detected by IDS, but allow the IDS to maintain itself for US IPs.   Not ideal, but it prevents having to monitor and work on this stuff all day long.  In doing this for 10+ years, I think I've only had to "re-open" one block of IPs I had locked down in the Black List due to a traveling client being unable to access their messages.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
SmarterMail Server Performance TuningSmarterMail > Server Configuration and Management
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
SmarterMail and ColdFusion IssuesSmarterMail > Troubleshooting