SMTP relay blacklist function

Question

Hello Community, 
 I had a question of understanding. 
 we see a massive brute force SMTP connections on the external interfaces. So we try to block these brute force networks and hosts from SMTP service and use the function Relaying -> "Host/Network Blacklist". But the connections was not blocked and we see new connections in SMTP log file and SMTP communication, MAIL FROM, RCPT TO ..... 
 In UTM help I found "Host/Network Blacklist - Here you can define hosts and networks that shall be blocked by the SMTP proxy. ...." 
 My expectation was to block the network/host from all SMTP communication, for example as firewall rule as the country blocking mechanism work too. The manual creation a DNAT and send requests to a fake host works as workaround, also country blocking as sledge hammer. 
 What is the right scenario for "Host/Network Blacklist"? Or is this function without function? 
 Thanks for your help & Kind regards, Michael

emmosophos · Accepted Answer

Hello Michael, 
 Thank you for contacting the Sophos Community! 
 That setting will still allow the IP connection to the UTM, but it should drop the SMTP connection after the Rcpt to. The Mail FROM and RCPT TO will still show in the SMTP log. 
 Connected to 10.99.1254.23 Escape character is '^]'. 220 utm.testsophos.tes ESMTP ready. helo localhost 250 utm.testsophos.tes Hello localhost [10.100.200.30] mail from:user1@testdomain.com 250 OK rcpt to:test_user@domain.local Access denied (host blacklisted) Connection closed by foreign host. 
 2020:09:28-15:46:05 utm exim-in[1077]: 2020-09-28 15:46:05 H=(localhost) [10.100.200.30]:36490 F=<user1@testdomain.com> rejected RCPT test_user@domain.local denied (host blacklisted) 2020:09:28-15:46:05 utm exim-in[1077]: 2020-09-28 15:46:05 SMTP connection from (localhost) [10.100.200.30]:36490 closed by DROP in ACL 
 If you want to block this IP then a DNAT rule is your best option. 
 Regards,

SMTP relay blacklist function

Top Replies