Dynamic Screening Alerts (Auth Failures, Blocked Accounts/IPs, Expirations)

MDaemon’s Dynamic Screening feature tracks connection behavior to detect abuse (like brute-force password guessing). It can automatically block clients (by account or IP) when suspicious patterns occur. MDaemon can send notification emails whenever these events happen. The key alerts are:

• Authentication failure count reached: If an account fails login a configurable number of times, MDaemon can email the postmaster (or other recipients) warning of the repeated failures. For example, by default MDaemon will notify you when a user’s failed login count reaches 10 attempts. This warns administrators that someone may be trying to guess a password (or that a legitimate user is having trouble).
  
  
• Account blocked: When Dynamic Screening locks out a local account for too many failures, it can send a “blocked account” notification. In this case, MDaemon identifies an account that has exceeded its failure limit and automatically disabled it. A notification is then sent to the configured recipients (postmasters, administrators, or even the user). This alert means the account can’t send or receive mail until it is unlocked.
  
  
• IP address blocked: Similar to accounts, MDaemon can also block remote IP addresses. You can enable notifications for blocked IPs. When an IP address is added to MDaemon’s dynamic block list, MDaemon can email the administrator. Optionally, the alert can include the recent connection history from that IP address. This tells you an external IP address was blocked (for example, due to too many authentication failures or spam-like behavior).
  
  
• Blocked Account & IP Expiration reports: The administrator can also get a heads-up when blocks expire. For instance, MDaemon can email a report when a blocked IP’s timeout lapses or when an account lockout is automatically lifted.

Taken together, these dynamic screening alerts let you respond quickly to attacks. Authentication-failure warnings help catch attackers (or misconfigured clients) early, and blocked-account/IP alerts tell you when the system is taking action. You can then check logs or enforce stronger passwords. (MDaemon’s global and domain postmasters are notified by default, but you can customize recipients via Security | Dynamic Screening | Notifications.)

Hijacked Account Detection

MDaemon’s Account Hijack Detection guards against compromised mail accounts being used to send spam. In Security | Screening | Hijack Detection, you can set limits on how many messages an account can send in a given time, and whether to freeze the account when limits are exceeded. There are two main triggers:

• Message volume: For example, you might limit an account to 500 messages per 30 minutes from any IP. If the account exceeds this threshold, MDaemon can freeze the account (stop it from sending) and respond with a 552 SMTP error. When this happens, MDaemon immediately emails the postmaster saying “Account X has been frozen”. The administrator can then investigate and unfreeze the account after corrective action such as changing the user’s password has been taken.
  
  
• Invalid recipient attempts: You can also detect a hijacked account by monitoring how many “5XX RCPT” (bad address) responses an account produces over a period of time. Spammers often blast to many non-existent addresses. If an account hits the configured number of failed RCPT attempts, you can choose to freeze it. Again, an email is sent to the administrator when the freeze occurs.
  

  ---

  
  

Password Expiration Alerts

MDaemon can enforce password expiration requirements and alert users in advance. Under Setup | Account Settings | Passwords, you can specify after how many days a password expires. Administrators can also configure a reminder period so that any user whose password is about to expire gets a daily reminder email for a given number of days before expiration. If you set, say, 5 days, then users will see “Your password is expiring soon” emails each day starting 5 days out.

Although these reminders go to the user, administrators should enable them to reduce support calls. If a password does expire, the user must change it via MDaemon Webmail or MDaemon Remote Administration.

Antivirus and Spam Filter Update Notifications

Keeping antivirus definitions and spam filter rules up to date is critical. MDaemon can update these files automatically as new ones become available:

• Antivirus (Ikarus & ClamAV) definitions: In MDaemon Remote Administration, under Security | AntiVirus | AV Updater, there is an option “Send notification if virus definitions have not updated for [XX] days.” By default, this is 7 days. If your Ikarus or ClamAV signatures haven’t updated within this period of time, MDaemon will alert the administrator via email. This lets you know to fix connectivity or update issues before the AV engine becomes useless against new threats. While you’re here, it’s also a good idea to verify your scheduled virus definition updates via the Scheduler button under ClamAV Updater.
  
  
• Spam filter updates: MDaemon’s built-in Spam Filter can download new rule files (SpamAssassin, DNSBL lists, etc). Under Security | Content Filter | Notifications, there is a “Send Spam Filter update notification to Administrators” option (more info from the MDaemon Help file). When spam filter updates (Spam Filter | Filter Settings | Updates) are available, MDaemon can email the administrator with the results. This notification tells you how many new rules were added, and can confirm that updates are occurring. It’s useful to ensure the spam engine stays current.
  

  ---

  
  

In addition, the Content Filter will notify on virus/restricted attachments by default. For example, if a message arrives with a known virus, MDaemon can automatically send an email alert to the administrator, the recipient, or even the original sender. Similarly, if a banned file type is blocked, a “restricted attachment” alert can be sent. (These templates can be customized in Security | Content Filter | Notifications.) Together, AV and spam filter update alerts ensure that anti-malware defenses are active and letting you know when something needs attention.

Content Filter Notifications (Built-in and Custom)

MDaemon’s Content Filter can generate notifications when certain rules are triggered:

• Built-in notifications: The Security | Content Filter | Notifications dialog lists several common alerts. For instance, you can check “Send virus notification message to Administrator/Sender/Recipient” and “Send restricted attachment notification to Administrator/Sender/Recipient” (more info from the MDaemon Help file). You can also enable the “Send Spam Filter update notification to Administrators” checkbox.

• Custom rule notifications: Beyond the built-in alerts, you can create custom filter rules that include “Send Note To…” actions (more info here). For example, you might write a rule that detects QR codes or suspicious keywords and then sends a notification email to a mailbox. The “Send Note” action lets you specify the recipient, subject, and body of the alert (and even attach the original message). This is powerful for tailor-made alerts – for instance, auto-notify a security team if certain sensitive words appear in subject lines.
  
  

Content filter notifications help keep administrators informed when suspicious email content is detected by your security rules.

System and Server Health Notifications

MDaemon can alert on general server health issues:

• Low disk space: Under Setup | Preferences | Disk, MDaemon can watch free disk space and send a warning when it dips too low. Simply check the box “Enable disk space checking engine” and enter a user or email address (e.g. postmaster) and a low disk space threshold (in MB). By default, it warns the postmaster when free disk space is at 1000 MB. You can also have it disable TCP/IP services if it goes even lower (the default is 100 MB)

This alert is crucial – a full hard drive can halt mail flow or corrupt data. Catching it early helps prevent downtime.

• Software updates: MDaemon can notify you about product updates. Under Setup | Preferences | Updates, check “Inform postmaster when new product updates are available”. When MDaemon checks for updates, it will email the postmaster if a newer version is detected (There’s also an option to install updates automatically).
  
  
• Startup/Shutdown: MDaemon logs server start/stop events in the Windows Event Log. If you configure an SMS gateway, it can even send a text alert when MDaemon unexpectedly stops or starts.

These alerts help you maintain awareness of the server’s health. If disk space runs low or updates are failing, you’ll be notified automatically.

Windows Event Log and SMS Alerts

MDaemon can also use the Windows Event Log for monitoring and even send SMS text alerts:

• Logging key events: Under Logs | Log Settings | Windows Event Log, you can check “Log important events to the Windows Event Log” to have MDaemon write important events into the system log. This dialog lets you select which events to log. Common choices include network or socket failures, database connectivity problems, RFC compliance issues, missing DNS server information, security violations, and the presence of messages in the holding queue.
  
  
• SMS/text alerts: In the same Windows Event Log settings, there is an “SMS gateway email address” field. If you enter your carrier’s email-to-SMS address (e.g YourNumber@vtext.com for Verizon phone numbers), you can then select the checkboxes in the SMS column to have those events immediately sent as text messages. For example, you might choose to receive an SMS alert on server startup, network failure, or security violation events. Once an event happens, MDaemon treats the SMS alert as “urgent” mail and sends it right away.

Together, these monitoring tools and alerts help IT administrators spot problems early, reduce the need for manual log checking, and help keep the mail service running smoothly.

Holding Queue Reports

MDaemon’s Holding Queue is a safety net for problematic messages (those that cause software exceptions during AntiVirus, AntiSpam, or Content Filter processing). Any mail that fails filtering can be placed in the holding queue rather than deleted or lost. Administrators should monitor this queue to ensure nothing is stuck indefinitely. To aid in this, MDaemon can send summary reports of the holding queue:

• Automatic summaries: In Setup → Server Settings → Mail Queues/DSN | Holding Queue, there are options to “Email a summary of the holding queue” (and bad or quarantine queues) to specified addresses. You can list the postmaster or other email addresses, and set how often to send (e.g. every 120 minutes). The summary contains the number of messages and links to release or re-queue them. This way, every few hours you (or the postmaster) get an email listing any new holding-queue entries, rather than having to manually check the GUI.
  
  
• On startup or first message: MDaemon will always send a summary when the server starts up and again when the first message enters the holding queue.

Statistics Reports

MDaemon can be configured to send a statistics report to the postmaster at midnight each night (Setup | Preferences | Miscellaneous). This report contains mail traffic statistics such as the number of SMTP sessions over a given period of time, the number of spam or virus messages blocked, the number of messages currently stored in MDaemon's mail queues, and much more.

Administrators can also request these statistics reports on-demand via email. Watch this video to learn more:

Near or Over Quota Notifications

MDaemon can enforce mailbox quotas (per-account limits on storage or messages sent per day) and send reports when mailboxes are nearing their assigned quotas:

• User warnings: If an account is assigned a quota, you can configure a threshold at which MDaemon emails the user a warning. For example, under Setup | Account Settings | Quotas there is a setting “Email a warning to user if this percent of their quota is reached”. If a user exceeds that percentage, MDaemon creates a “near quota” warning in the user’s inbox every night. The warning includes their current message count, mailbox size, and percentage used. You can also set an “over quota” subject so that if they go 100% full, they get a final notice. This keeps users from suddenly running out of mailbox space.

• Daily quota report: In Setup | Account Settings | Quotas, there is an option “Send daily quota report to global and domain administrators”. If enabled with a percentage value, each day MDaemon will email all administrators a report of every user who is at or above that usage percentage. For example, setting it to 80% will list all accounts over 80% full. The report includes mailbox usage stats for each account. This allows administrators to proactively manage storage – for instance, contacting heavy users or deleting old mail. If set to 0, the report covers all users. Administrators can also exclude disabled/frozen accounts from these reports.

By using these quota alerts, MDaemon helps prevent unexpected “mailbox full” problems and gives visibility to growing disk usage. The daily admin report is particularly useful in large environments to track overall usage trends.

DMARC Aggregate (RUA) and Forensic (RUF) Reports

DMARC (Domain-based Message Authentication, Reporting & Conformance) is used to combat email spoofing and phishing. It lets a domain owner publish a policy (via DNS) that tells receivers what to do with mail that fails SPF or DKIM checks. DMARC’s reporting features let domain owners see how their domain is being used (or abused).

• Aggregate (RUA) reports: These XML reports summarize all authentication results for a domain over a given period. They include counts of messages, senders’ IPs, SPF/DKIM pass/fail status, and the DMARC policy applied. In MDaemon, enabling DMARC reporting causes the server to collect DMARC data and then automatically email daily aggregate reports (RUA) to the addresses specified by the sending domains’ DNS records. For example, MDaemon will store message authentication data and at midnight UTC generate/send each domain’s RUA report to its listed recipients. These daily summaries help administrators track overall email volume and spot trends like sudden surges of failing mail or new sending sources.
  
  
• Forensic (RUF) reports: For domains that request them (ruf= tag), DMARC failure reports (often called forensic reports) contain details about individual messages that failed DMARC. MDaemon can be configured to send a failure report in real time whenever it processes a message for a domain whose DMARC record requests RUF notifications. These reports include extensive details on the failures. Forensic reports are useful for troubleshooting why mail fails DMARC (e.g. misconfigured systems or active phishing campaigns).

Here is an example of a DMARC record showing where aggregate & forensic (RUA & RUF) reports should be sent:

v=DMARC1; p=quarantine; rua=mailto:admin@example.com; ruf=mailto:admin@example.com; fo=1; pct=70;

Here is an example of a DMARC aggregate report:

In MDaemon Remote Administration, DMARC reporting can be enabled via Security | Sender Authentication | DMARC Reporting. The RUA address (aggregate) in a domain’s DMARC record tells MDaemon where to send the summary of that domain’s incoming mail usage, while the RUF address (forensic) tells MDaemon where to send detailed failure notices. In practice, administrators should configure and monitor both: RUA reports give a high-level view of email activity and compliance, and RUF reports give granular feedback on specific failures. Together they help diagnose configuration issues and detect abuse.

In Summary

When used together, these reporting tools help keep MDameon administrators informed of trouble areas or problems that need urgent attention. They can make an email administrator’s job much easier by reducing the amount of manual troubleshooting & scouring of log files to detect mail server security and configuration issues.