This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP relay blacklist function

Hello Community,

I had a question of understanding.

we see a massive brute force SMTP connections on the external interfaces. So we try to block these brute force networks and hosts from SMTP service and use the function Relaying -> "Host/Network Blacklist". But the connections was not blocked and we see new connections in SMTP log file and SMTP communication, MAIL FROM, RCPT TO .....

In UTM help I found "Host/Network Blacklist - Here you can define hosts and networks that shall be blocked by the SMTP proxy. ...."

My expectation was to block the network/host from all SMTP communication, for example as firewall rule as the country blocking mechanism work too. The manual creation a DNAT and send requests to a fake host works as workaround, also country blocking as sledge hammer.

What is the right scenario for "Host/Network Blacklist"? Or is this function without function?

Thanks for your help & Kind regards,
Michael



This thread was automatically locked due to age.
  • Hello Michael,

    please give us a screenshot which configuration screen you used for this.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Michael,

    Thank you for contacting the Sophos Community!

    That setting will still allow the IP connection to the UTM, but it should drop the SMTP connection after the Rcpt to. The Mail FROM and RCPT TO will still show in the SMTP log. 

    Connected to 10.99.1254.23
    Escape character is '^]'.
    220 utm.testsophos.tes ESMTP ready.
    helo localhost
    250 utm.testsophos.tes Hello localhost [10.100.200.30]
    mail from:user1@testdomain.com
    250 OK
    rcpt to:test_user@domain.local
    Access denied (host blacklisted)
    Connection closed by foreign host.

    2020:09:28-15:46:05 utm exim-in[1077]: 2020-09-28 15:46:05 H=(localhost) [10.100.200.30]:36490 F=<user1@testdomain.com> rejected RCPT test_user@domain.local denied (host blacklisted)
    2020:09:28-15:46:05 utm exim-in[1077]: 2020-09-28 15:46:05 SMTP connection from (localhost) [10.100.200.30]:36490 closed by DROP in ACL

    If you want to block this IP then a DNAT rule is your best option.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Philipp,

     the configuration field is Email Protection -> SMTP -> Relaying (tab) -> Host/Network Blacklist (field).

    The answer from @emmosophos is the missing information inside the help system.

    Regards from Potsdam

    Michael

  • Hello ,

     thanks for your answer. This is the missing information: the configuration field drops SMTP connection after the RCPT TO command. It would be nice, if the help system from UTM can include this information to this configuration field.

    The log entries are slightly different on my system (UTM 9.7), I can't see "denied (host blacklisted)" entries in the logs. The auth error may override this output? 

    2020:09:28-13:12:12 xx-2 exim-in[9504]: 2020-09-28 13:12:12 SMTP connection from [212.70.149.68]:22980 (TCP/IP connection count = 3)
    2020:09:28-13:12:13 xx-2 exim-in[9504]: 2020-09-28 13:12:13 SMTP connection from [212.70.149.68]:38798 (TCP/IP connection count = 4)
    2020:09:28-13:12:24 xx-2 exim-in[6538]: 2020-09-28 13:12:24 server_login authenticator failed for (User) [212.70.149.68]:46822: 535 Incorrect authentication data (set_id=smarthome@xx)
    2020:09:28-13:12:25 xx-2 exim-in[6537]: 2020-09-28 13:12:25 server_login authenticator failed for (User) [212.70.149.68]:6242: 535 Incorrect authentication data (set_id=smarthome@xx)
    2020:09:28-13:12:30 xx-2 exim-in[6538]: 2020-09-28 13:12:30 SMTP connection from (User) [212.70.149.68]:46822 lost
    2020:09:28-13:12:30 xx-2 exim-in[6537]: 2020-09-28 13:12:30 SMTP connection from (User) [212.70.149.68]:6242 lost

     In my scenario the DNAT option is the best way to block the "bad" IPs from the system.

    Kind regards,

    Michael 

  • Hello Michael,

    Thank you for the follow-up.

    Yes, the Auth error will show before the RCTP TO.

    Do you have Authenticated Relay enable by any chance? Email Protection >> SMTP >> Relaying >> Authenticate Relay

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello emmosophos,

    >Do you have Authenticated Relay enable by any chance?

    Yes and I discussed this with the customer. This option is necessary and could not be switched off. So we must live with this "background noise" on the SMTP service and the found solution to minimize that.

    Regards,

    Michael