This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Smtp IP Blacklist

Hello

I'm looking for a solution that allows me to actively block external SMTP connection from "bad" IP which are trying to use autentication as per the following log

im-in[1041]: 2020-09-14 12:24:32 server_login authenticator failed for (User) [45.142.120.74]:11730: 535 Incorrect authentication data (set_id=webmaster@xxx.com)

2020:09:14-12:24:33 utm-1 exim-in[1041]: 2020-09-14 12:24:33 SMTP connection from (User) [45.142.120.74]:11730 closed by QUIT

As I found in other thread a normal firewall rule is not working and in a thread was mentioned that a "blackhoe DNAT should be created

https://community.sophos.com/utm-firewall/f/mail-protection-smtp-pop3-antispam-and-antivirus/49677/smtp-attacks---block-blacklist-ip

However even with such DNAT created I still see connection attempt from the banned Hosts IP

I'm not using transparent mode

Is there a way to fix it ?

thanks

Stefano

This thread was automatically locked due to age.

Top Replies

Michael_Kuerschner over 4 years ago +1

Hello, some notes from my site because I had the same problem with DNAT and stop the "bad" IPs. Point 1: Include _all_ WAN IP addresses, if you have not only a primary official address. Point2: Include…

Parents

0 LHerzog over 4 years ago

Hi, are you sure to have enabled the DNAT to fake-IP Rule for all SMTP Ports, not only 25?
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanoColombo over 4 years ago in reply to LHerzog

Hello

it was a good point, I did it only for port 25 , but even after changing to any ports it does not stop the connections from banned IP
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 4 years ago in reply to StefanoColombo

Can you packet capture such an attempt to see on which SG interface and on which port the login attempt really comes?

Also check in Authentication Services / Global Settings

Automatic User Creation for Facilities

if
SMTP Proxy
is enabled there.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to StefanoColombo

Ciao Sefano,

Please show us a picture of the Edit of the DNAT that didn't work. See #2 in Rulz (last updated 2019-04-17).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 4 years ago in reply to StefanoColombo

Ciao Sefano,

Please show us a picture of the Edit of the DNAT that didn't work. See #2 in Rulz (last updated 2019-04-17).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data