This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto ban/block IP addresses that attempt SMTP auth

I have UTM as a spam/virus filter in front of my email server.

Inbound SMTP (port 25) is only ever going to be "anonymous" SMTP delivering to my email server, or relaying from static IP addresses.

I frequently see authentication fails along the lines of 

server_login authenticator failed for (USER) [145.249.107.135]:37894: 535 Incorrect authentication data (set_id=username@domain.com)

As I do not allow authenticated SMTP inbound, is there a method of auto banning or blocking IP addreses that attempt to authenticate on SMTP ?



This thread was automatically locked due to age.
Parents
  • I see the failed attempt in the SMTP log.

    As I do NOT use authentication, any failed attempt is automatically a "bad actor" hence wanting to use it to block any further attempts

  • SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authenticated relaying and specify the users and user groups that should be able to use this feature. How to add users is explained on the Definitions & Users > Users & Groups > Users page. Click Apply to save your settings.

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

    Anyway:
    1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

    2 If you are using "transparent mode" (i bet so) and one of the bad actor is still persistent you can skip that bad actor from "Transparent Mode". Be adviced, you have to delete any firewall rule for service smtp, and the bad actor will never contact you in this way

Reply
  • SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authenticated relaying and specify the users and user groups that should be able to use this feature. How to add users is explained on the Definitions & Users > Users & Groups > Users page. Click Apply to save your settings.

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

    Anyway:
    1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

    2 If you are using "transparent mode" (i bet so) and one of the bad actor is still persistent you can skip that bad actor from "Transparent Mode". Be adviced, you have to delete any firewall rule for service smtp, and the bad actor will never contact you in this way

Children