Auth failure notification
When a user makes too many failed login attempts their IP gets blacklisted, which is good. But there isn't any kind of notification to the user why they're blacklisted which causes user frustration. This behavior is true with WorldClient and other email clients.
For WorldClient (webmail) I propose a feedback notification, such as "Too many failed login attempts. Please try again in 10 minutes." based on the current MDaemon Auth Failure Tracking settings.
Could this also happen for the ActiveSync and desktop clients, too? There have been many occasions where a user calls me to complain they can't connect their tablet or laptop because they (unknowingly) had too many failed authentication attempts.
Thank you for sharing your idea with us. The current version of MDaemon allows you to send a notification to the user when their account auth failure count reaches a certain level. Ideally this would happen before their IP address actually gets blocked.
Adding further notifications that are accessible to the public would be dangerous. It would provide attackers with information they could use to defeat the system.
Martin Wyatt commented
Thank you. Perhaps I was unclear. I'm referring to a technique that most websites do, where if I try logging in with the incorrect credentials, say 5 times, it pops up a message on-screen to the effect "Too many failed logins. Please try again in XX minutes." Is there a security risk with a generic notification/message like that?
In MDaemon the notification option I have found is sent to global postmaster or admin via email - not the user. Wouldn't notifying a user via email who cannot log into their account seem odd since they can't log in to see the notification? Hence my suggestion for an on-screen notification.
Or is there another type of notification method you're referring to?