Community Knowledge Base

Blacklist / Whitelist

** These settings are managed in the hub in SmarterMail HA. All settings are available when running SmarterMail Enterprise.

The Blacklist and Whitelist tabs give system administrators direct, IP-level control over which connections are allowed to reach SmarterMail's protocol services (SMTP, POP, IMAP, LDAP, XMPP and, for whitelist entries, several additional protocols). These checks happen at the connection level — before any per-domain or per-mailbox content filtering runs — and they apply server-wide, across every domain hosted on the box. Blacklisting an IP address prevents it from making inbound connections on the selected protocol(s), while whitelisting an IP address (or domain) designates it as a trusted source, letting it bypass relay restrictions that would otherwise apply, including spam filtering, greylisting, and IDS (Intrusion Detection System) rules. Exercise caution when granting whitelist status to a server, and be sure you understand what services on that server might send mail through your own — a compromised or misconfigured whitelisted server can effectively become an open relay for spam.

Note: Internal (private-range) IP addresses – 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 – are whitelisted by default so LAN-based clients and internal automation aren't accidentally blocked or subjected to relay restrictions. If this is a concern (for example, on a shared or multi-tenant server where the private range isn't actually trusted), system administrators can edit these built-in whitelist entries to disable one or more protocols or bypasses for them. However, these three internal-range entries cannot be deleted outright.
Note: If the same IP address (or a range that contains it) appears on both the Blacklist and the Whitelist for a given protocol, the whitelist entry wins. SmarterMail always checks the whitelist first when a connection comes in; the blacklist is only consulted if no whitelist match is found. In practice, this means adding an IP to the whitelist is an immediate, reliable way to override an existing (or future) blacklist entry without having to touch the blacklist entry itself.

By default, both of these tabs will be empty as SmarterMail has no way of knowing the IPs or IP ranges that need to be blocked or granted access to its various services. However, once entries are added, the following details can be seen on both tabs:

  • Source - The IP address, IP range, or domain name that's black/whitelisted.
  • Country - The country associated with the IP address, resolved via an internal GeoIP lookup. This shows as N/A for entries that don't map to a specific country, such as private IP ranges or domain-based whitelist entries.
  • Description - The friendly name given to the Source, or the reason for the blacklist. Entries added automatically by SmarterMail itself – rather than typed in by an administrator – are also identified through this field (see Entries Added Automatically below).
  • Webmail - Whether the black/whitelist is enabled for this protocol.
  • EAS - Whether the black/whitelist is enabled for this protocol.
  • IMAP - Whether the black/whitelist is enabled for this protocol.
  • LDAP - Whether the black/whitelist is enabled for this protocol.
  • MAPI & EWS - Whether the black/whitelist is enabled for this protocol.
  • POP - Whether the black/whitelist is enabled for this protocol.
  • SMTP - Whether the black/whitelist is enabled for this protocol.
  • WebDAV - Whether the black/whitelist is enabled for this protocol.
  • XMPP - Whether the black/whitelist is enabled for this protocol.
  • However, the following columns are only seen on the Whitelist tab.

  • IP Bypass - For whitelists only, allows a system administrator to prevent spam checks and greylisting on email delivered from specific IP addresses.
  • SMTP Auth Bypass - For whitelists only, whether SMTP Authentication is bypassed for the entry.
  • IDS Brute Force - For whitelists only, whether the IDS Brute Force rules (including Password Brute Force by IP, Password Brute Force by Email, and Password Retrieval Brute Force) are bypassed for this entry.
  • Bypass Spam Checks - For whitelists only, whether SMTP spam checks are bypassed for the entry.
  • Bypass Greylisting - For whitelists only, whether greylisting is bypassed for the entry.
  • Proxy - For whitelists only, this should only be enabled when a proxy/reverse proxy (e.g., HAProxy) sits in front of the SmarterMail server. That proxy server should also be configured to use version 1 of the proxy protocol, which allows the proxy server to relay information about the remote connection to SmarterMail. If a proxy/reverse proxy is NOT in use, this should not be enabled as it will cause issues with connections to SmarterMail. When enabled the following occurs:
    • If a connection is initiated by an IP that is not configured in the whitelist as a Proxy, the connection is rejected. This includes message processing requests like X-Forward-For, X-Forwarded-Port, X-Forwarded-Host, and X-Forwarded-Proto. This prevents a malicious server from providing spoofed header information to bypass the blacklist, IDS rules, etc. This means that, if you enable Proxy for any whitelist entry, all connections must go through a configured Proxy.
    • SmarterMail expects all SMTP, POP, IMAP, and LDAP connections to include the proxy header information. Given the specification for the proxy protocol, this information must be received before the server returns the greeting banner for the communication protocol. If the header information is not received within a couple seconds, the connection is closed.
    • After the connection has been accepted by SmarterMail, further IP based spam checks will use the IP information that was relayed by the proxy server.
Proxy Note: The affected HTTP headers are built like chains tracing the traffic back. For example, when a request passes through a proxy, the proxy adds the X-Forwarded-For header with the original client’s IP address as the value. If it then passes through a second proxy, the first proxy’s IP is added to that header, resulting in a header like X-Forwarded-For: {client_IP}, {proxy_1_IP}. This setting ensures we only use data in the X-Forwarded-* headers that were added by trusted proxies.

While not necessary for SmarterMail to work, it is recommended that any proxy servers be configured to add the X-Forwarded-* headers to any relayed HTTP traffic. If a proxy server is configured to not add those headers, SmarterMail will treat all HTTP traffic from that server as if it originated with that server.

Entries Added Automatically ("From the Spool")

Not every Blacklist entry has to be typed in by hand. From the Spool Overview dashboard, a system administrator reviewing live SMTP activity can blacklist an offending IP address directly from one of the activity tables, without ever opening this Security page. When that happens:

  • SmarterMail creates the Blacklist entry automatically and sets its Description to "Blocked from Spool Overview". This is the tell-tale sign, when reviewing this list later, that an entry was added reactively in response to observed traffic rather than configured ahead of time by an administrator.
  • Because spammers frequently rotate through many addresses within the same subnet, blacklisting an IP from the spool also offers the option to blacklist the entire Class C (/24) IP range that address belongs to – for example, blocking 203.0.113.0–203.0.113.255 instead of just 203.0.113.5. This is a judgment call presented at confirmation time; SmarterMail will note that doing so can create overlapping entries if some addresses in that range were already individually blacklisted, so it's worth periodically reviewing the Blacklist for redundant ranges if this option is used often.
  • The relationship works both ways: removing the block from the Spool Overview dashboard deletes the corresponding Blacklist entry, and deleting the entry here removes the block as seen from the spool.

HoneyPot Entries

If one or more HoneyPot (spam-trap) addresses are configured under Antispam settings, any IP address that sends mail to one of those decoy addresses is added to the Blacklist automatically, with a description beginning with "HoneyPot". Because a HoneyPot address should never receive legitimate mail, any sender that emails one is, by definition, harvesting or guessing addresses – making this one of the more reliable automatic blacklist triggers available. These entries are read-only from this grid (they can't be edited like a manually-created entry) and are removed independently of standard blacklist entries.

Adding a New Blacklist Entry

To create a new entry in the blacklist, click New. When adding or editing an entry, the following options will be available:

  • IP Addresses (single, range or CIDR block)** - Enter a single IPv4 or IPv6 address, a dashed range (e.g., 203.0.113.10-203.0.113.20), or a CIDR block (e.g., 203.0.113.0/24). If a range or CIDR block is entered, every address it contains is treated as blacklisted.
  • Description** - Use this field to enter optional notes for understanding the various whitelist / blacklist entries. For example, "Repeated dictionary attack against POP logins"
  • Service Types** - Enable the protocol(s) you wish to include in the blacklist entry. The available options are: SMTP, POP, IMAP and XMPP. An entry can, for example, be blocked for SMTP only while still being allowed to connect over IMAP or POP – the block is scoped per protocol, not to the IP as a whole.

Be sure to click Save to add the entry.

Adding new Whitelist

To create a new entry in the whitelist, click New. The dialog first asks whether the entry's Source is an IP Address or a Domain Name; that choice determines which of the remaining options apply, as noted below:

  • Source** - Whether the whitelist will be for a domain or an IP address or range.
  • Domain Name** - When Domain Name is the Source, this is the domain name to whitelist. Domain-based entries only support the Bypass SMTP Authentication option below; the per-protocol switches and the remaining IP-specific bypasses (IP Bypass, IDS Brute Force, Spam Checks, Greylisting, Proxy) apply only to IP-based entries.
  • IP Addresses (single, range or CIDR block)** - When listing an IP address, enter a single IPv4 or IPv6 address, a dashed range, or a CIDR block (e.g., 203.0.113.0/24). If an IP range is entered, all IP addresses within that range will be contained in the list.
  • Description** - Use this field to enter optional notes for understanding the various whitelist / blacklist entries. For example, "Office LAN IPs"
  • Bypass IP for Spam Checks** - IP-based entries only. When using a gateway, this will bypass spam checks for messages passed through the gateway.
  • Bypass SMTP Authentication** - Available for both IP- and domain-based entries, enabling this bypasses the need for SMTP authentication for whitelisted IPs or domains.
  • Bypass IDS Brute Force** - IP-based entries only, enabling this bypasses IDS Brute Force checks for whitelisted IPs.
  • Bypass Spam Checks** - IP-based entries only.
  • Important Note: If SPF and DKIM spam checks are enabled, SmarterMail will run those checks on ALL emails, including those from trusted senders, whitelisted IP addresses and IP bypasses. Because anyone can write any return path that they want when sending a message, this extra check helps prevent spammers from flooding users with hundreds of messages that aren't truly from a trusted sender.
  • Bypass Greylisting** - IP-based entries only, enabling this bypasses greylisting for whitelisted IPs.
  • Protocol(s)** - IP-based entries only. Enable the protocol(s) you wish to include in the whitelist entry. The available options are: Webmail, ActiveSync (EAS), IMAP, LDAP, MAPI & EWS, POP, SMTP, WebDAV and XMPP.
Note: SmarterMail runs a check against the IPs listed in whitelist, blacklist and authentication bypass settings. This check looks at the number of IPs listed and will display a warning if the IPs listed represent a significant number. (E.g., a range greater than a /24.) While the warning does not affect the ability to save the settings, it is an indication that the system administrator may want to review the settings prior to adding the IP range.

SMTP Auth Bypass

Whitelisted IP addresses can bypass SMTP authentication, which is a security measure that can be very beneficial in the fight against spam and unauthorized email as it forces the sender to authenticate their username and password before an email is sent through the mail server. Unfortunately, some applications do not have support for SMTP authentication when sending mail. Most often, these are websites that have automated mail sending mechanisms. The solution is to add the IP addresses of these servers/sites to SmarterMail's Whitelist and enable SMTP Authentication Bypass. Whitelist entries with SMTP Auth Bypass enabled will not be asked to provide an SMTP Authentication login.

Importing/Exporting Settings

One of the primary reasons SmarterMail is so popular is that it's very easy for a system administrator to manage. Not only is SmarterMail's administration all web-based, many of the functions available for administrators can be exported from one machine and imported into another SmarterMail installation. This makes it easy for administrators to have a consistent set of security settings, antispam settings and more across all of the SmarterMail servers in use.

To import or export settings, simply click the Actions (⋮) button and select either option. When exporting, the settings are saved as a JSON file to the location specified in File Explorer. When importing files, a modal window opens and the corresponding JSON file can be dragged-and-dropped right in the modal or the file can be selected using File Explorer.

Blacklist / Whitelist and the SmarterMail API

API access now initially checks the user whitelist/blacklist for user-specific scopes as well as System Administrator IP Restrictions for system scopes after authentication. That means that when any call occurs, both are checked after authenticating but prior to the call processing on the server.