The IDS/IPS tab lets you set logging and automatic blocking parameters for the IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) component of the SMTP server.
SMTP servers are regularly attacked, both by incoming mail attacks (spam/viruses etc) and relay attacks (by spammers and other malware distributors trying to send mail through them). Because of this, there is a system in VPOP3 which will track attack attempts on the SMTP service and can automatically block IP addresses which try to do bad things.
The IDS Logging section lets you tell VPOP3 to write details of suspicious events to a specified log. This can then be read by a third party IPS system to feed updates to a firewall or security alert system (eg Snort)
The IDS logging is disabled by default, and VPOP3 does not use it itself. The IPS component of VPOP3 uses its own log system. If you turn on IDS logging in VPOP3, you should have some system in place for rotating/truncating the log files. Check with the third party software which you are using how the file can be acceptably rotate/truncated. VPOP3 will not rotate or truncate the log file itself, it will simply append entries to the file (one text line per event), so it will grow indefinitely unless you have another process in place.
The IDS Log Filename should be in a location which the VPOP3 process has permission to write to. Usually this will mean it can not be on a shared drive or remote server. It is possible to use a Lua script to create the filename dynamically if you wish.
The IDS Log Line Format tells VPOP3 what data to store on each line in the log file. You can use replacements to indicate variable text.
You can use an Lua script to customise the line format further - eg if the timestamp needs to be in a different format
The Intrusion Prevention section tells VPOP3 how to react to suspicious events when they occur
When an SMTP connection is initiated, the order of events is:
If the connection is allowed, then VPOP3 will add entries to the IPS event log as they occur. These will not cause the connection to be added to the block list immediately, but will only be checked at the next connection from the same IP address. This reduces computational load on the server, and means that isolated events from an IP address will not cause an entry to be added to the block list which will then expire before it is used.
The various events which are logged are shown on this page.
Every time an event occurs within the Client Error Monitor Period, then the value of that 'multiplier' is added onto that IP address's “score”.
Notes:
When a connection attempts to connect and has already logged events over the Block Threshold, then it will be added to the Block List. Addresses can also be added to the Block List manually.
Note that the Block List affects ALL VPOP3 services. It is also updated by the Security settings in VPOP3, if someone repeatedly attempts to log in with bad details.
The Block List can be viewed to see which IP addresses are already in the block list, when they were added, and when they will expire. If you double-click on an entry, VPOP3 will show you why that address was added to the block list. You can delete entries from the block list.
You can manually add entries to the block list by entering the address and period that the address should be blocked, and pressing the Add button. The maximum time you can block an address for is 999,999,999 minutes (approximately 1900 years). The Address you specify can be an individual address, or a network range specified in CIDR format (eg 1.2.3.0/24)
The Never Block list is used to tell VPOP3 never to block connections from the specified addresses. This can be useful for internal IP address ranges, or the IP addresses of partners or mail forwarding services.
Note that the Never Block List affects ALL VPOP3 services, and will also prevent the Security options from blocking IP addresses.
The Never Block List can be viewed to see which IP addresses are already in the list and when they were added. You can delete entries from the block list by selecting them and pressing the Delete button.
You can manually add entries to the never block list by entering the address and pressing the Add button. If you add an entry to the Never Block list, then it will automatically be removed from the Block List if the address is currently blocked.
The Address you specify can be an individual address, or a network range specified in CIDR format (eg 192.168.0.0/16)
This lets you see the recent past events added to the IDS event log. Events are displayed here even if they have a zero 'multiplier' so will not prevent access to VPOP3.