Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 2835 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Smtp IP Blacklist

StefanoColombo

Hello

I'm looking for a solution that allows me to actively block external SMTP connection from "bad" IP which are trying to use autentication as per the following log

im-in[1041]: 2020-09-14 12:24:32 server_login authenticator failed for (User) [45.142.120.74]:11730: 535 Incorrect authentication data (set_id=webmaster@xxx.com)
2020:09:14-12:24:33 utm-1 exim-in[1041]: 2020-09-14 12:24:33 SMTP connection from (User) [45.142.120.74]:11730 closed by QUIT
As I found in other thread a normal firewall rule is not working and in a thread was mentioned that a "blackhoe DNAT should be created
However even with such DNAT created I still see connection attempt from the banned Hosts IP
I'm not using transparent mode
Is there a way to fix it ?
thanks
Stefano


This thread was automatically locked due to age.
  • 0

    Hi, are you sure to have enabled the DNAT to fake-IP Rule for all SMTP Ports, not only 25?

  • 0 in reply to LHerzog

    Hello

    it was a good point, I did it only for port 25 , but even after changing to any ports it does not stop the connections from banned IP

  • 0 in reply to StefanoColombo

    Can you packet capture such an attempt to see on which SG interface and on which port the login attempt really comes?

    Also check in Authentication Services / Global Settings

    Automatic User Creation for Facilities
    if
     SMTP Proxy
    is enabled there.
  • 0 in reply to StefanoColombo

    Ciao Sefano,

    Please show us a picture of the Edit of the DNAT that didn't work.  See #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hello,

    some notes from my site because I had the same problem with DNAT and stop the "bad" IPs.

    Point 1: Include _all_ WAN IP addresses, if you have not only a primary official address.

    Point2: Include service port 465/tcp in addition to 25/tcp (and 587/tcp)

    My DNAT rule looks like.

    origin source:GROUP_IP_SPAMMER

    origin service. GROUP_SMTP_SERVICES( 25/tcp,465/tcp,587/tcp )

    origin destinaton: GROUP_WAN-ADDRESSES_UTM

    NAT-destination: FAKE-IP 

    Regards,

    Michael

  • 0

    Maybe using "Block Password Guessing" under "Authentication Services"-> "Advanced" would be sufficent for you?
    So that those IPs trying to login block themselfs after like 2 or 3 attempts and you dont need to manually add IPs to some DNAT rules?

  • 0 in reply to Albeck

    Yes, this is an option in my mind. I am in discussion with the customer about this setting. 

    The maintenance of the "bad" IPs in the source is an big obstacle here. Then "Block Password Guessing" is an better option. 

    On the other side we see a complete /24 network of "bad" IP requesters which looks like an automated process to "test" the SMTP authentication. So the "Block Password Guessing" here not the right thing. If I block 1 IP for 15 minutes, there are a lot other requests. So we block the /24 network with the DNAT rule.

    "Block Password Guessing" is an addition option I think. 

  • 0 in reply to Michael_Kuerschner

    Hallo Michael and welcome to the UTM Community!

    In general, guys, I prefer to NOT use the SMTP Proxy to authenticate traffic from the Internet.  Instead, use the mail server's authentication capability.  Michael, your approach and including blocking password guessing is one I like to use if the client just can't go without using UTM SMTP Proxy authentication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello BAlfson,

     yes it is not the smartest way to do this with SMTP auth, but it works for the customer in production and a better solution is here not so easy to build. So we do prevention.

    Regards,

    Michael

    P.S. : You do a nice job here since years, thank you.

    Michael

Unfiltered HTML