MailEnable Professional Guide
Localhost - Policies
Administration > Server configuration > Localhost - Policies

The Policies tab provides settings to lock out users after too many failed password attempts and prevent users from entering simple passwords.




Lock out user for one hour after

Keeps track of mailbox authentication failures per hour; all services have the authentication logged as one.  When the number of failed attempts is reached, the mailbox will be locked out for 1 hour. You are able to unlock a mailbox by opening its properties in the administration program - if it is blocked a button will be shown allowing you to unblock. This lock out option does allow invalid users to lock out valid users from their account (by trying incorrect credentials). It is recommended to avoid this option and use the Enable Abuse Detection and Prevention option instead.

Enforce password policy

When an administrator creates an account or a user changes a password, the password must meet the password complexity requirements that are enabled. Existing passwords are not affected by enabling this option. So if you have users with a simple password they will still be able to log in. Use the Check existing passwords button to find these mailboxes. There are some policies which are always enforced on password changes when this option is enabled. These are:

  • Passwords cannot include the mailbox name or the postoffice name.
  • Password cannot include the word password.
  • Password cannot be pass or test.

Other password policies are then enabled as you wish. You can use the Check existing passwords button to produce a list of all the mailboxes which fail to meet the password requirements.

Enable abuse detection and prevention IP addresses will be temporarily blocked if they appear to be trying to guess a password. Blocked IP addresses will be held in cache memory for hour. In order to release the blocked IP's from memory the respective service needs to be restarted, or the Unblock IP Address button can be used to remove an address. If an IP address is whitelisted under the SMTP options then it will not be blocked. If an IP address is just trying to use the same username/password over and over it will not be blocked, as it is just assumed to be an incorrectly configured client account.