Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail Server Behind UTM Sees UTM as Attacker

JeffCooper

Hi,

Apologies in advance, as I'm not sure if this can be addressed on the UTM or needs to be handled on my Kerio Connect server. Our Kerio server's "directory harvest attack" protection throws up a temporary block on offending IP addresses when a bunch of emails come in from it to unknown addresses. The problem is it sees ALL messages as coming through the UTM, including staff since, like many, we're remote the days. The result is that people stop getting emails for 15 minutes or sometimes hours if more unknown address attempts trickle in before the block times out and it resets

My Kerio log shows things like this:

[15/Apr/2020 11:25:09] Attempt to deliver to unknown recipient <auser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:25:09] Attempt to deliver to unknown recipient <buser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:32:06] Attempt to deliver to unknown recipient <cuser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:32:23] Attempt to deliver to unknown recipient <duser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:32:40] Attempt to deliver to unknown recipient <euser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:33:05] Attempt to deliver to unknown recipient <fuser@domain.com>, from <>, IP address 192.168.0.1
[15/Apr/2020 11:33:24] Attempt to deliver to unknown recipient <guser@domain.com>, from <>, IP address 192.168.0.1

I have Verify with Callout enabled on the UTM, so I'm not sure if that's what's telling the mail server there's a bunch of attempts or if it's not doing what I think and trying to send the email to the server even if the destination address does not exist.

Is there a way have the UTM pass through the originating address? I see "transparent mode" but I've read that should only bee used in very specific circumstances and may apply to outgoing messages only.

For now I've turned off this security feature on my mail server, but we're getting a bunch more spam and will likely get more malware attempts soon.

I'll be posting a similar question to Kerio (GFI) forums as, as I said, I am not sure which, if either, device can do something about it.

Thanks,

Jeff



This thread was automatically locked due to age.
  • 0

    In the past I had verify with callout also enabled for our mail server (however we don't use Kerio, but Office365).

    It's been a while, but I recall having had also problems with this option altough I don't really know anymore what these were. In the end we don't do the verify with callout anymore and in your situation it doesn't really differ a lot since the Kerio mailserver is behind the same UTM if I read your question correctly.

    This option should prevent mails from being forwarded to the mail server if the recipient address is non-existent (ie. for former colleagues whose mail accounts have been deleted). In our case we did this to prevent incoming mail from being forwarded (and thus again consuming bandwith) if the recipient is non-existent. 

    In your situation I would simply pass on all mail to the mailserver that is internal to the UTM already and have the mailserver reject the mail if there's no mailbox.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML