Manage user login access and security policies.
For account security, by default, new Alibaba Mail subscriptions include an enabled blacklist policy named 'Third-party Client Access Policy'. This policy blocks logins from third-party clients. If you need to log in using a third-party client, navigate to the mail admin console > security management > account security > access policy, and either disable
or delete this policy. The change takes effect in about five minutes.
1. Function overview
The access policy feature lets you centrally manage user login permissions and security controls. You can create fine-grained, multi-dimensional policies based on user scope, IP address, and client type. Administrators can flexibly combine these conditions in a single interface for precise access control. Policies apply only to the selected client types, such as Alibaba Mail native clients, DingTalk, the web client, the Alibaba Mail Outlook add-in, and the WeChat Official Account, ensuring that security rules affect only the intended endpoints. You can grant legitimate access while effectively blocking high-risk or unauthorized login attempts.
2. Key features
This feature combines IP restrictions with client controls for more flexible and powerful access control.
Efficient one-stop management
Instead of navigating multiple menus, you can now configure access for both IP addresses and clients from a single panel.
Granular control
Combine multiple conditions to build policies that meet complex security requirements.
Whitelist and blacklist modes
Whitelist mode
Blocks all access for specified users except for traffic the policy explicitly allows.
Helps you implement a zero-trust security model.
Blacklist mode
Blocks only specific high-risk IP ranges or non-compliant clients.
All other access is allowed by default.
Seamless migration
Your existing rules have been automatically upgraded to the new policy format and remain in effect. No reconfiguration is required.
This feature replaces the previous "Native Client Login Security" and "Set Secure Login IP" functions, which were located under security management > account security.
3. Create an access policy
When you open the mail admin console, an upgrade prompt appears. Click 'Upgrade Now' to merge the IP restriction and client control features into the new access policy format. Any existing rules are automatically migrated and remain in effect.
For users of the free edition of Alibaba Mail, this new feature does not include the option to configure an IP range.
As the mail administrator, navigate to domain management > security management > account security > access policy, and click Create Policy.
A. Select a policy type
Once configured, a policy enforces strict whitelist or blacklist access for all or specified members, including the postmaster account. These accounts can only log in if they meet the policy conditions. To avoid being locked out of the mail admin console if your login environment changes, we recommend adding the postmaster account to the list of exceptions.
There are two policy types:
Policy type | Description |
Whitelist policy | For specified users, grants access only to requests that match its conditions. All other access is blocked. This is suitable for high-security scenarios (a whitelist policy). |
Blacklist policy | For specified users, blocks access requests that match its conditions. All other access is allowed. This is suitable for risk-blocking scenarios (a blacklist policy). |
Policy execution logic
Deny takes precedence: If a user's request matches both a whitelist policy and a blacklist policy, the blacklist policy is enforced, and access is denied.
Default allow: Access is allowed by default for any user who does not match a policy.
B. Set policy conditions
1. Scope
Flexibly define the user scope to which the policy applies:
All members: The policy applies to all users in the domain.
Specific departments and members:
Select specific departments or members.
Select 'Include sub-departments when adding a department' to apply the policy to the selected department and all of its sub-departments.
Exclude specific objects ('Except' option):
Exclude certain departments or members from the 'All members' or a specified scope.
The 'Include sub-departments' option is also available for exclusions.
2. IP range
Enter a single IP address (e.g.,
192.168.1.1) or an IP range (e.g.,192.168.1.1-192.168.1.100).You can add multiple IP entries. The policy applies to all listed IP addresses.
You can also specify a region (region-based settings currently support IPv4 only).
3. Client type
Precisely control access by client type. You can select multiple options:
Alibaba Mail native client (includes mobile and desktop)
Alibaba Mail web client (does not include the domain admin console)
DingTalk for PC
DingTalk for mobile
Alibaba Mail Outlook add-in
WeChat Official Account
third-party clients
Note: The policy affects only the selected client types.
C. Test and verification
After you create or modify a policy, you can verify that it takes effect as expected in the following ways:
Attempt to log in as a target user from different IP addresses or clients.
Observe whether access is granted or denied according to the policy.
Check system logs or security audit records to confirm that the policy was triggered correctly.
You can test a policy during the final step of the creation wizard or by clicking Test and Verification for an existing policy.
1. When you use the test function during policy creation, the test evaluates the policy as if it were active.
2. When you test an existing policy by clicking the Test and Verification button, the evaluation depends on the policy's status. If the policy is enabled, the test uses its active rules. If the policy is disabled, it is not evaluated.
For example, on the web client:
If a user's access is denied due to a policy restriction, the login page displays a clear message: "The administrator has enabled IP login restrictions. Login from the current IP is not allowed." This helps the user understand why access was blocked.
