Access policy

更新时间:
复制 MD 格式

Manage user login permissions and security policies.

Important

To enhance account security, new Alibaba Mail subscriptions include a default, enabled blacklist policy named "Third-party Client Access Policy." This policy blocks logins from all third-party clients. If an account needs to use a third-party client, navigate to the mail admin console > security management > account security > access policy. Click Edit to add the account as an exception or disable the policy entirely. The change takes effect within five minutes.

image

Overview

Access policies give you centralized control over user login permissions and security. They let you configure fine-grained policies based on multiple dimensions, including user scope, IP address, and client type. From a single interface, administrators can flexibly combine these conditions for precise access control. Policies apply only to the selected client types—such as Alibaba Mail native clients, DingTalk, web clients, the Outlook add-in, and WeChat Official Accounts—ensuring that security rules target specific endpoints. This lets you grant legitimate access while effectively blocking high-risk or unauthorized login attempts.

Key features

This feature unifies IP address restrictions and client controls to provide more flexible and powerful access management.

One-stop, efficient management

You can now configure access permissions for both IP addresses and clients from a unified panel.

Granular control

You can combine multiple dimensions in a single policy to meet complex control requirements.

Whitelist and blacklist modes

Exclusive allow (whitelist)
  • This mode blocks all access for specified users unless the policy explicitly allows it.

  • This enables Zero Trust controls.

Standard blocking (blacklist)
  • This mode blocks only specific high-risk IP ranges or non-compliant clients.

  • All other access is allowed by default.

Seamless migration

We have automatically upgraded your existing rules to the new policy format; they remain in effect. No reconfiguration is required.

Note

This feature replaces the previous "Native Client Login Security" and "Set Secure Login IP" settings, which were located under security management > account security.

Creating an access policy

When you enter the mail admin console, an upgrade prompt appears. Click Upgrade Now to merge IP restriction and client control features. We automatically migrate existing rules to the new policy format, and they remain in effect.

Note

This is a new feature for users of the free edition of Alibaba Mail. However, rules created in this edition cannot include IP range settings.

imageimage

image

Navigate to Domain Management> security management > account security > access policy in the mail admin console and click the Create Policy button.

A. Policy type

image

Important

Once configured, a policy applies to all specified members, including the administrator's postmaster account. These accounts can only sign in if they meet the policy conditions. To avoid being locked out of the mail admin console if your login environment changes, consider adding the postmaster account to the exception list.

You can choose between two policy types based on your security requirements:

Policy type

Description

whitelist policy

For specified users, only access requests that match the policy conditions are allowed. All other requests are denied. This is ideal for high-security scenarios.

blacklist policy

For specified users, access requests that match the policy conditions are denied. All other requests are allowed. This is ideal for blocking known risks.

Note

Policy execution logic

Denial takes precedence: If a user matches both a whitelist policy and a blacklist policy, the blacklist policy is enforced and access is denied.

Default allow: By default, users who do not match any policy are allowed access.

B. Policy conditions

image

1. Scope

Define the user scope for the policy:

  • All Members: The policy applies to all users in your domain.

  • Specific Departments and Members:

    • Select specific departments or individual members.

    • Select the Include sub-departments checkbox to cover the selected departments and all their child departments.

  • Exclude specific objects (the Except option):

    • You can exclude certain departments or members from the defined scope.

    • The Include sub-departments option is also available for exclusions.

2. IP range

  • Enter a single IP address (e.g., 192.168.1.1) or an IP range (e.g., 192.168.1.1-192.168.1.100).

  • You can add multiple IP addresses or ranges. The policy applies if the user's IP address matches any of the entries.

  • You can also specify locations. Note: Location-based conditions currently support only IPv4 addresses.

    image

3. Client type

Select one or more client types for fine-grained control:

  • Alibaba Mail native client (mobile and desktop)

  • Alibaba Mail web client (does not include the mail admin console)

  • DingTalk for PC

  • DingTalk for mobile

  • Alibaba Mail Outlook add-in

  • WeChat Official Account

  • Third-party client

Note: The policy applies only to the selected client types.

C. Test and verification

After you create or modify a policy, follow these steps to verify it works as expected:

  1. Sign in with the target user account from different IP addresses or clients.

  2. Verify that access is allowed or denied as expected.

  3. Check system logs or security audit records to confirm when the policy is triggered.

You can run a test during the final step of creating an access policy. You can also click the Test and Verification button after creation to start a test.

imageimage

Note

1. During policy creation, the test in the final step evaluates the policy as if it were enabled.

2. After creating a policy, click Test and Verification. If the policy is enabled (the switch is on), the test evaluates it against the effective rules. If the policy is disabled, it is not evaluated during the test.

Example: web client

If access is denied due to a policy restriction, the sign-in page shows a clear message: The administrator has enabled IP sign-in restrictions. The current IP cannot sign in. This message tells users why their access is blocked.

image