This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto ban/block IP addresses that attempt SMTP auth

I have UTM as a spam/virus filter in front of my email server.

Inbound SMTP (port 25) is only ever going to be "anonymous" SMTP delivering to my email server, or relaying from static IP addresses.

I frequently see authentication fails along the lines of 

server_login authenticator failed for (USER) [145.249.107.135]:37894: 535 Incorrect authentication data (set_id=username@domain.com)

As I do not allow authenticated SMTP inbound, is there a method of auto banning or blocking IP addreses that attempt to authenticate on SMTP ?



This thread was automatically locked due to age.
Parents
  • I see the failed attempt in the SMTP log.

    As I do NOT use authentication, any failed attempt is automatically a "bad actor" hence wanting to use it to block any further attempts

  • SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow authenticated relaying and specify the users and user groups that should be able to use this feature. How to add users is explained on the Definitions & Users > Users & Groups > Users page. Click Apply to save your settings.

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

    Anyway:
    1 Under Definitions & Users > Authentication Services > Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

    2 If you are using "transparent mode" (i bet so) and one of the bad actor is still persistent you can skip that bad actor from "Transparent Mode". Be adviced, you have to delete any firewall rule for service smtp, and the bad actor will never contact you in this way

  • I think you have missed the point.

    1. Clients do not send email through UTM, they send via their connection to the email server which does not use SMTP. the email server receoves email via UTM, and sends email via UTM.

    2. I am using UTM to filter malware/spam/virii I am not using transparent mode.

    What I am after is for any addresses that fail (or even attempt)  authentication to be added to a block list without any manual intervention.

     

     

     

  • I  know that you dont use to send emails through UTM.

    Read it carefully next time

    Copied from above:

    I bet you dont use UTM in this way "clients send email directly through UTM, skipping the mail-server

  • Maybe I'm missing something, but I fail to see the relevance of what you have posted to "automatically block IP addresses that attempt to authenticate".

     

     

     

     

  • Unknown said:

    1 Under Definitions & Users > Authentication Services Advanced, Check "SMTP Proxy" and "Drop packets from blocked hosts"
    Set the desired second (maksimum is 24 hours, 86400 Seconds)

     

     

     

     

     

  • Or maybe you are seeing mailserver logs. If so, you must ask the question to the mailserver forum!!!

  • how are hosts going to be added to the list of blocked hosts ?

Reply Children