Please enable JavaScript to view this site.

MDaemon Email Server 24.5

Navigation: Security Menu > Dynamic Screening

Auth Failure Tracking

Scroll Prev Top Next More

Ignore authentication attempts using identical passwords

This option applies to the IP Address Blocking Options and to the Account Blocking Options below. By default, when an authentication attempt fails, subsequent authentication attempts will be ignored when using the same password. They will not count against the number of failures allowed before blocking the IP address or account. Multiple attempts using the same, incorrect password typically occur when, for example, the user's email password has changed or expired and their client is automatically attempting to log in using the old one.

Only for valid accounts

Activate this option if you only wish to ignore the duplicate password authentication attempts when they are attempting to sign in to a valid account. This means that if, for example, a user updates his password in one client but another client is still running with the old password, that old client's sign-in attempts will still be ignored, since it will have the correct sign-in name. A bot trying random sign-in names with a similar password will not have that same benefit, and will be blocked as soon as it surpasses the authentication failure threshold.

IP Address Blocking Options

Block addresses after [xx] authentication failures within [xx] [Minutes | Hours | Days]

Click this check box if you wish to block an IP address temporarily when it fails to authenticate to your server an excessive number of times in a limited time period. Specify the number of minutes, hours, or days and the number of failures allowed in that period.

Enable IPv4 aggregation as low as x.x.x.x/ [xx] identical bits (CIDR)

This option will block a range of IPv4 addresses when the authentication failures are coming from IP addresses near each other instead of from a single address.

Enable IPv6 aggregation as low as x::::x:x/ [xx] identical bits (CIDR)

This option will block a range of IPv6 addresses when the authentication failures are coming from IP addresses near each other instead of from a single address.

Multiple Offense Penalties

This is the amount of time that an IP address or IP address range will be blocked by the Dynamic Screening system when it fails the specified number of authentication attempts. By default the amount of time that the IP address is blocked increases with each subsequent offense. That is, by default if an IP address violates the authentication failure limit, it will be blocked for one day. Then if that same IP address subsequently violates the limit again, the Second offense penalty will be added to the Default expiration timeout, then the Third offense penalty will be added to the default timeout, and so on. The length of penalty maxes out with adding the Fourth offense penalty.

Default expiration timeout

This is the amount of time an IP address or IP address range will be blocked from connecting to MDaemon if it violates the authentication failure limit specified above. The default is 1 day.

Second offense penalty

This is the amount of time that will be added to the Default expiration timeout when an IP address or IP range is blocked by Dynamic Screening a second time.

Third offense penalty

This is the amount of time that will be added to the Default expiration timeout when an IP address or IP range is blocked by Dynamic Screening a third time.

Fourth offense penalty

This is the amount of time that will be added to the Default expiration timeout when an IP address or IP range is blocked by Dynamic Screening for the fourth time or any subsequent times.

Permanent

Click this box if you wish to permanently block the IP addresses that violate the authentication failure limit, rather than temporarily block them using the offense penalties specified above.

Account Blocking Options

Block accounts that fail authentication [xx] times within [xx] [Minutes | Hours | Days]

Check this box if you wish to temporarily add an account to the Blocked Account List whenever it fails the specified number of authentication attempts in the designated amount of time. Blocked accounts can only sign in from Trusted IPs and IPs on the Dynamic Allow List. Accounts on the Exempt Account List will never be automatically added to the Blocked Account List. This option is disabled by default.

Blocked account timeout

This is the amount of time that the account will remain blocked.

Admins may unblock accounts by replying to notification email within the timeout period

When an account is automatically added to the Blocked Account List, by default an administrator will receive a notification email about it (see the "Notify when an account is blocked" option on the Notifications page). The administrator can unblock the account simply by replying to the email. This option is enabled by default.

See: