Skip to main content
Version: 0.16

Security

Configures automatic IP banning rules for abuse, authentication failures, and port scanning.

This object can be configured from the WebUI under Settings › Security › Settings

Fields

abuseBanRate

Type: Rate? · default: {"count":35,"period":"1d"}

The maximum number of abuse attempts (relaying or failed RCPT TO attempts) before the IP is banned

abuseBanPeriod

Type: Duration?

The duration of the ban for abuse attempts

authBanRate

Type: Rate? · default: {"count":100,"period":"1d"}

The maximum number of failed login attempts before the IP is banned

authBanPeriod

Type: Duration?

The duration of the ban for failed login attempts

loiterBanRate

Type: Rate? · default: {"count":150,"period":"1d"}

The maximum number of loitering disconnections before the IP is banned

loiterBanPeriod

Type: Duration?

The duration of the ban for loitering connections.

scanBanPaths

Type: String[] · default: ["*.php*","*.cgi*","*.asp*","*/wp-*","*/php*","*/cgi-bin*","*xmlrpc*","*../*","*/..*","*joomla*","*wordpress*","*drupal*"]

The paths that will trigger an immediate ban if accessed. Each path should be a glob expression

scanBanRate

Type: Rate? · default: {"count":30,"period":"1d"}

The maximum number of port scanning attempts before the IP is banned

scanBanPeriod

Type: Duration?

The duration of the ban for port scanning attempts

JMAP API

The Security singleton is available via the urn:stalwart:jmap capability.

x:Security/get

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

For singletons, the ids argument should be the literal singleton (or null to return the single instance).

This method requires the sysSecurityGet permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Security/get",
          {
            "ids": [
              "singleton"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:Security/set

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

For singletons, only the update argument with id singleton is accepted; create and destroy arguments are rejected.

This method requires the sysSecurityUpdate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Security/set",
          {
            "update": {
              "singleton": {
                "abuseBanRate": {
                  "count": 35,
                  "period": "1d"
                }
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

CLI

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Fetch

stalwart-cli get security

Update

stalwart-cli update security --field description='Updated'

Nested types

Rate

Defines a rate limit as a count over a time period.

count

Type: UnsignedInt · default: 0 · min: 1 · max: 1000000

Count

period

Type: Duration · default: "0s" · min: 1

Period