Auto ban/block IP addresses that attempt SMTP auth

I have UTM as a spam/virus filter in front of my email server.

Inbound SMTP (port 25) is only ever going to be "anonymous" SMTP delivering to my email server, or relaying from static IP addresses.

I frequently see authentication fails along the lines of 

server_login authenticator failed for (USER) [145.249.107.135]:37894: 535 Incorrect authentication data (set_id=username@domain.com)

As I do not allow authenticated SMTP inbound, is there a method of auto banning or blocking IP addreses that attempt to authenticate on SMTP ?

  • Why do you use Authentication?

  • In reply to oldeda:

    I see the failed attempt in the SMTP log.

    As I do NOT use authentication, any failed attempt is automatically a "bad actor" hence wanting to use it to block any further attempts

  • In reply to automaton:

    SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authenticated relaying and specify the users and user groups that should be able to use this feature. How to add users is explained on the Definitions & Users > Users & Groups > Users page. Click Apply to save your settings.

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

    Anyway:
    1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

    2 If you are using "transparent mode" (i bet so) and one of the bad actor is still persistent you can skip that bad actor from "Transparent Mode". Be adviced, you have to delete any firewall rule for service smtp, and the bad actor will never contact you in this way

  • In reply to oldeda:

    I think you have missed the point.

    1. Clients do not send email through UTM, they send via their connection to the email server which does not use SMTP. the email server receoves email via UTM, and sends email via UTM.

    2. I am using UTM to filter malware/spam/virii I am not using transparent mode.

    What I am after is for any addresses that fail (or even attempt)  authentication to be added to a block list without any manual intervention.

     

     

     

  • In reply to automaton:

    I  know that you dont use to send emails through UTM.

    Read it carefully next time

    Copied from above:

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

  • In reply to oldeda:

    Maybe I'm missing something, but I fail to see the relevance of what you have posted to "automatically block IP addresses that attempt to authenticate".

     

     

     

     

  • In reply to automaton:

    oldeda

    1 Under Definitions & Users > Authentication Services Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

     

     

     

     

     

  • In reply to oldeda:

    Or maybe you are seeing mailserver logs. If so, you must ask the question to the mailserver forum!!!

  • In reply to oldeda:

    how are hosts going to be added to the list of blocked hosts ?

  • In reply to automaton:

    Automaticly

  • In reply to oldeda:

    "Automaticly"

    Using the same number of attempts in the same time period that I want to use for the user portal, which needs to cope with users that change their AD password, and then attempt to logon with their browser stored credentials...

    as I originally said " auto banning or blocking IP addreses that attempt to authenticate"

  • The only way that you could have people attempting an SMTP logon would be if you selected 'Allow authenticated relaying' on the 'Relaying' tab.

    What do you mean by "relaying from static IP addresses" - is this relaying from upstream hosts, or individuals with fixed IPs that are allowed to authenticate against the SMTP Proxy?

    Please compare your configuration to Basic Exchange setup with SMTP Proxy.

    Cheers - Bob