Please enable JavaScript to view this site.

MDaemon Email Server 24.5

Navigation: Security Menu > Dynamic Screening

Options/Customize

Scroll Prev Top Next More

Using Dynamic Screening, MDaemon can track the behavior of incoming connections to identify suspicious activity and then respond accordingly. You can block an IP address (or range of addresses) from connecting when it fails authentication a specified number times within a specified amount of time. You can also block the accounts attempting to authenticate when they fail too many times too quickly. Also, when an IP address or account is blocked, it is not permanent. The connecting IP address or account will be blocked for the number of minutes, hours, or days that you specify, and they can be unblocked manually by the admin.

Enable the Dynamic Screening service

Check this box to enable the Dynamic Screening service. You can also enable/disable the service under the Servers section in the navigation pane of MDaemon's main user interface.

System Options

Enable Authentication Failure Tracking

When this option is enabled, the Dynamic Screening service will track authentication failures for the protocols designated on the Protocols tab and perform actions determined by the options on the Auth Failure Tracking tab. This option is enabled by default.

Enable Dynamic Screening Block List

This option turns on the Dynamic Screening service's ability to block IP addresses and ranges. You can manage the block list from the Dynamic Block List tab. The block list option is on by default.

Enable Dynamic Screening Allow List

This option turns on the Dynamic Screening service's Dynamic Allow List feature, which you can use to exempt IP addresses and ranges, to exclude them from Dynamic Screening. The allow list is on by default.

Block Logon Policy Violations

By default MDaemon requires accounts to use their full email address when logging in instead of just the mailbox portion of their address (e.g. they must use "user1@example.com" instead of just "user1"). This is controlled by the "Servers require full email address for authentication" option on the Systems page. When that option is on, you can also turn on this Block Logon Policy Violations option if you wish to block any IP address that attempts to logon without using the full email address. This option is off by default.

Advanced Logging Options

Log Auth Failure data at startup

This option enables the writing of all authentication failure data that is currently stored by Dynamic Screening to the log file at startup. This is disabled by default.

Log Block List data at startup

Enables the writing of all Dynamic Block List data that is currently stored to the log file at startup. This is disabled by default.

Log Allow List data at startup

Enables the writing of all Dynamic Allow List data that is currently stored to the log file at startup. This is disabled by default.

Log Location data when available

Check this box if you wish to log each connection's location data, if it's available.

Log Locations using ISO-3166 Codes

Check this box if you wish to use ISO-3166 two-letter country codes when logging locations, instead using names.

Log all Allow List hits

This option adds an entry to the Dynamic Screening log each time an inbound connection is from an address that is on the Dynamic Allow List.

Log all Block List hits

This option adds an entry to the Dynamic Screening log each time an inbound connection is from an address that is on the Dynamic Block List.

Log all trusted IP list hits

This option adds an entry to the Dynamic Screening log each time an inbound connection is from a Trusted IP address.

Log all Location Screen hits

This option adds an entry to the Dynamic Screening log each time an inbound connection is refused due to Location Screening.

Log all failed authentications

This option adds an entry to the Dynamic Screening log each time an inbound connection fails authentication.

Log all successful authentications

Enable this option if you wish to log every incoming authentication attempt that succeeds. This is disabled by default.

Log all connections allowed

Enable this option if you wish to create a log entry for every connection that passes Dynamic Screening and is allowed to proceed. This is disabled by default.

Log all connections refused

This option adds an entry to the log every time an incoming connection is refused by Dynamic Screening.

Log configuration when changes detected

This option adds entries to the log for all Dynamic Screening configurations when changes are detected from external sources (such as manually editing the INI file). Normal changes are logged at the Info level.

Log summary once [Daily | Hourly | Per minute]

Adds to the Dynamic Screening log a summary of Dynamic Screening stats once every day, hour, or minute. By default the summary is logged hourly.

Screening Data Reset Options

Reset all Auth Failure data

Click this checkbox if you wish to clear all Dynamic Screening authentication data. You must then click Apply or OK for the reset to occur.

Reset all Block List data

Click this checkbox if you wish to clear all Dynamic Screening Block List data. You must then click Apply or OK for the reset to occur.

Reset all Allow List data

Click this checkbox if you wish to clear all Dynamic Screening Allow List data. You must then click Apply or OK for the reset to occur.

Enable Advanced User Interface features

Check this box and then close/reopen the MDaemon configuration interface to add several advanced Dynamic Screening features. A Domain NAT Exemptions screen is added to the Dynamic Screening dialog, from which you can designate specific IP address/domain combinations to exempt from Dynamic Screening blocking when valid users at that IP address fail password authentication. There are also several Dynamic Screening shortcuts added to the toolbar's Dynamic Screening section, and an option is added to the Dynamic Screening shortcut menu under the Servers section of the main interface that allows you to pause rather than disable the Dynamic Screening service, preventing clients from accessing the service while you manage its settings.

See: