Auto ban/block IP addresses that attempt SMTP auth

Why do you use Authentication?

I see the failed attempt in the SMTP log.

As I do NOT use authentication, any failed attempt is automatically a "bad actor" hence wanting to use it to block any further attempts

SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authenticated relaying and specify the users and user groups that should be able to use this feature. How to add users is explained on the Definitions & Users > Users & Groups > Users page. Click Apply to save your settings.

I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

Anyway:
1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
Set the desired second (maksimum is 24 hours, 86400 Seconds)

2 If you are using "transparent mode" (i bet so) and one of the bad actor is still persistent you can skip that bad actor from "Transparent Mode". Be adviced, you have to delete any firewall rule for service smtp, and the bad actor will never contact you in this way

I think you have missed the point.

1. Clients do not send email through UTM, they send via their connection to the email server which does not use SMTP. the email server receoves email via UTM, and sends email via UTM.

2. I am using UTM to filter malware/spam/virii I am not using transparent mode.

What I am after is for any addresses that fail (or even attempt)  authentication to be added to a block list without any manual intervention.

I  know that you dont use to send emails through UTM.

Read it carefully next time

Copied from above:

I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

Maybe I'm missing something, but I fail to see the relevance of what you have posted to "automatically block IP addresses that attempt to authenticate".

Unknown said:

1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
Set the desired second (maksimum is 24 hours, 86400 Seconds)

 

 

 

 

 

Or maybe you are seeing mailserver logs. If so, you must ask the question to the mailserver forum!!!

how are hosts going to be added to the list of blocked hosts ?

Automaticly

"Automaticly"

Using the same number of attempts in the same time period that I want to use for the user portal, which needs to cope with users that change their AD password, and then attempt to logon with their browser stored credentials...

as I originally said " auto banning or blocking IP addreses that attempt to authenticate"

"Automaticly"

Using the same number of attempts in the same time period that I want to use for the user portal, which needs to cope with users that change their AD password, and then attempt to logon with their browser stored credentials...

as I originally said " auto banning or blocking IP addreses that attempt to authenticate"