This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Smtp IP Blacklist

Hello

I'm looking for a solution that allows me to actively block external SMTP connection from "bad" IP which are trying to use autentication as per the following log

im-in[1041]: 2020-09-14 12:24:32 server_login authenticator failed for (User) [45.142.120.74]:11730: 535 Incorrect authentication data (set_id=webmaster@xxx.com)
2020:09:14-12:24:33 utm-1 exim-in[1041]: 2020-09-14 12:24:33 SMTP connection from (User) [45.142.120.74]:11730 closed by QUIT
As I found in other thread a normal firewall rule is not working and in a thread was mentioned that a "blackhoe DNAT should be created
However even with such DNAT created I still see connection attempt from the banned Hosts IP
I'm not using transparent mode
Is there a way to fix it ?
thanks
Stefano


This thread was automatically locked due to age.
Parents
  • Maybe using "Block Password Guessing" under "Authentication Services"-> "Advanced" would be sufficent for you?
    So that those IPs trying to login block themselfs after like 2 or 3 attempts and you dont need to manually add IPs to some DNAT rules?

  • Yes, this is an option in my mind. I am in discussion with the customer about this setting. 

    The maintenance of the "bad" IPs in the source is an big obstacle here. Then "Block Password Guessing" is an better option. 

    On the other side we see a complete /24 network of "bad" IP requesters which looks like an automated process to "test" the SMTP authentication. So the "Block Password Guessing" here not the right thing. If I block 1 IP for 15 minutes, there are a lot other requests. So we block the /24 network with the DNAT rule.

    "Block Password Guessing" is an addition option I think. 

  • Hallo Michael and welcome to the UTM Community!

    In general, guys, I prefer to NOT use the SMTP Proxy to authenticate traffic from the Internet.  Instead, use the mail server's authentication capability.  Michael, your approach and including blocking password guessing is one I like to use if the client just can't go without using UTM SMTP Proxy authentication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello BAlfson,

     yes it is not the smartest way to do this with SMTP auth, but it works for the customer in production and a better solution is here not so easy to build. So we do prevention.

    Regards,

    Michael

    P.S. : You do a nice job here since years, thank you.

    Michael

Reply Children
No Data