Change the Login Attempts in SmarterMail

This article applies to recent versions of SmarterMail. View articles for SmarterMail 15.x and earlier.

For security purposes, SmarterMail limits the number of times a user can attempt to log in without success. By default, users are temporarily locked out of their account after 10 failed login attempts and will remain locked out for five minutes. System administrators can alter these settings by editing the web.config file.

Follow these steps to edit these settings:

  1. Open the web.config file in Notepad. By default, this file can be found in C:\Program Files\SmarterTools\SmarterMail\MRS.
  2. To edit the number of attempts before block, look for this line of code:
    <add key="ForgotPassword.BruteForceDetection.TriesBeforeBlock" value="10"/>
  3. Edit the value to reflect the number of failed attempts the user can make before the block is implemented.
  4. To edit the block time, look for this line of code:
    <add key="Login.BruteForceDetection.BlockTime" value="5"/>
  5. Edit the value to reflect the amount of time, in minutes, that the block is maintained.

 

Learn more about using SmarterMail for your email accounts and company-wide chat.

Feedback

Add Feedback
Why isn't this setting in the "Security > Advanced Settings > Abuse Detection" section of SmarterMail? Editing the web.config file would have to be REPEATED every time a simple upgrade is installed!
Virgil Turner (February 20, 2014 at 12:15 PM)
Thanks, Virgil. I'll pass along the suggestion.
Derek Curtis (February 20, 2014 at 12:20 PM)
In SmarterMail 16.3.6663, we fixed the issue with brute force blocks not appearing in the IDS Blocks section. They will now appear and can be unblocked.
Andrea Rogers (August 23 at 12:41 PM)
What is this blocking? IP ADDRESS? USER?

It seems to block ANYONE from logging in on that IP ADDRESS. After a block occurs, I can log that same user in on another computer with no problem. I cannot log anyone in on the original "blocked" computer after the block.

Why would you block the IP ADDRESS instead of the user? This so called "feature" is totally useless.

1) Can you fix it?
2) Please put it in the Abuse Detection settings where it should be.
3) Make a way for the admin user to Unblock (which doesn't seem to be documented anywhere).

Brian Arlinghaus (January 2, 2015 at 1:09 PM)
Thank you, Brian, for bringing this up. Currently, it is by design that we block the IP ADDRESS. To view the list of blocked IP ADDRESSes navigate to Manage | Current IDS Blocks. I can see the validity of blocking by USERs into the webmail interface. Therefore, I've added this to our features request list for further consideration by the dev. team. Additionally, if implemented, we will add a page to list blocked users.
Robert Emmett (January 5, 2015 at 8:55 AM)
Hi,

It's not implemented yet ?

Jean-Guy Dubois (May 7, 2015 at 7:32 AM)
A quick update: In SmarterMail 16.3.6663, we fixed the issue with brute force blocks not appearing in the IDS Blocks section. They will now appear and can be unblocked. In addition, in version 17.x, which is currently in BETA, the login brute force rule has been added as an optional rule in IDS Rules. You'll now have an option for Login Brute Force by IP, as well as Login Brute Force by Email.
Andrea Rogers (August 23 at 12:41 PM)
August 18 2015, Still not implemented yet. Back to back upgrades from 8-13 and 8-14.
Once again, Why isn't this setting in the "Security > Advanced Settings > Abuse Detection" section of SmarterMail?

niceguystaug (August 18, 2015 at 6:42 AM)
A quick update: In version 17.x, which is currently in BETA, the login brute force rule has been added as an optional rule in IDS Rules. You'll now have an option for Login Brute Force by IP, as well as Login Brute Force by Email.
Andrea Rogers (August 23 at 12:39 PM)
Hi

When will you configure to block the user instead of IP ADDRESS? This so called "feature" is totally useless if using the IP address because Admin will also be block if using this IP Address.

Please Help???

Thanks in advance

Api Lion (December 7, 2015 at 11:33 PM)
Hi Api! Thank you for your request. I've passed this along to our development team. While I can't guarantee this functionality will be adjusted to cover blocking the user rather than IP address, I will be sure it's brought to their attention. Thanks!
Andrea Rogers (December 9, 2015 at 8:19 AM)
A quick update: In version 17.x, which is currently in BETA, the login brute force rule has been added as an optional rule in IDS Rules. You'll now have an option for Login Brute Force by IP, as well as Login Brute Force by Email.
Andrea Rogers (August 23 at 12:39 PM)
The primary reason to block IP rather than user is that in doing so you do not slow down hackers, but only hurt your users.

Take two seconds to actually think about this and not be knee jerk in your reaction that SmarterTools got it wrong. If you block by user, your legitimate users get blocked if they forget their password and try too many times. If a hacker is using a brute force script, the script is going to try several common usernames. You just gave them exponentially more tries at getting into your server.

That said. I have found and can confirm that web login blocks are not showing up in my IDS Blocks and I have to wait for the timeout. This is a problem.

John Reid (October 19, 2016 at 6:41 AM)
Hi John, thanks for your reply! I inquired about this, and the web login blocks are not actually programmed to appear in the IDS Blocks list. This has been added to our list of feature requests for a possible inclusion in the future. If you would like to create a thread to Propose an Idea in order to facilitate tracking on this request, please do so at the Community! Thank you!!
Andrea Rogers (October 19, 2016 at 1:29 PM)
Hello John. This issue has been address in SmarterMail 16.3.6663: "Fixed: Login brute force blocks do not show in IDS blocks." In 16.x, these blocks can now be removed from the IDS Blocks section. In addition, in version 17.x, which is currently in BETA, the login brute force rule has been added as an optional IDS Rule in the interface. You'll now have an option for Login Brute Force by IP or Login Brute Force by Email.
Andrea Rogers (August 23 at 12:38 PM)
SM 16 - This continues to be a problem.

One of our users forgot password and triggered the block eventually.

The problem: The entire company is now locked out of Webmail. Great... not so!

Please fix this!

Thanks.

drew2160fl (August 21 at 3:16 PM)
Hi Drew. Please whitelist your office IP address. This will prevent users in the office from being blocked for brute force login attempts. Also, please note that in SmarterMail 17.x, which is currently in BETA, the login brute force rule has been added as an optional IDS Rule in the interface. You'll now have an option for Login Brute Force by IP or Login Brute Force by Email.
Andrea Rogers (August 23 at 12:36 PM)

Add Feedback