Security
Security
Section titled “Security”Configures automatic IP banning rules for abuse, authentication failures, and port scanning.
This object can be configured from the WebUI under Settings › Security › Settings
Fields
Section titled “Fields”abuseBanRate
Section titled “abuseBanRate”Type:
Rate?· default:{"count":35,"period":"1d"}The maximum number of abuse attempts (relaying or failed RCPT TO attempts) before the IP is banned
abuseBanPeriod
Section titled “abuseBanPeriod”Type:
Duration?The duration of the ban for abuse attempts
authBanRate
Section titled “authBanRate”Type:
Rate?· default:{"count":100,"period":"1d"}The maximum number of failed login attempts before the IP is banned
authBanPeriod
Section titled “authBanPeriod”Type:
Duration?The duration of the ban for failed login attempts
loiterBanRate
Section titled “loiterBanRate”Type:
Rate?· default:{"count":150,"period":"1d"}The maximum number of loitering disconnections before the IP is banned
loiterBanPeriod
Section titled “loiterBanPeriod”Type:
Duration?The duration of the ban for loitering connections.
scanBanPaths
Section titled “scanBanPaths”Type:
String[]· default:["*.php*","*.cgi*","*.asp*","*/wp-*","*/php*","*/cgi-bin*","*xmlrpc*","*../*","*/..*","*joomla*","*wordpress*","*drupal*"]The paths that will trigger an immediate ban if accessed. Each path should be a glob expression
scanBanRate
Section titled “scanBanRate”Type:
Rate?· default:{"count":30,"period":"1d"}The maximum number of port scanning attempts before the IP is banned
scanBanPeriod
Section titled “scanBanPeriod”Type:
Duration?The duration of the ban for port scanning attempts
JMAP API
Section titled “JMAP API”The Security singleton is available via the urn:stalwart:jmap capability.
x:Security/get
Section titled “x:Security/get”This is a standard Foo/get method as defined in RFC 8620, Section 5.1.
For singletons, the ids argument should be the literal singleton (or null to return the single instance).
This method requires the sysSecurityGet permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Security/get", { "ids": [ "singleton" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:Security/set
Section titled “x:Security/set”This is a standard Foo/set method as defined in RFC 8620, Section 5.3.
For singletons, only the update argument with id singleton is accepted; create and destroy arguments are rejected.
This method requires the sysSecurityUpdate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Security/set", { "update": { "singleton": { "abuseBanRate": { "count": 35, "period": "1d" } } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.
stalwart-cli get SecurityUpdate
Section titled “Update”stalwart-cli update Security --field abuseBanRate='{"count":35,"period":"1d"}'Nested types
Section titled “Nested types”Defines a rate limit as a count over a time period.
Type:
UnsignedInt· default:0· min: 1 · max: 1000000Count
period
Section titled “period”Type:
Duration· default:"0s"· min: 1Period