Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 1472 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 - Mail Protection - Botnet

RichardHughes1

Hello,

I have used the Sophos UTM for many years now. For the past few days, I have been having a problem with botnets attempting to authenticate against my email server (hMailServer), which sits behind the Sophos UTM. I have resorted to blocking several countries in the firewall as I can’t seem to find any alternative solution to rectifying this problem. The email server is showing my external IP address for these authentication attempts, so I can’t utilise auto-banning for failed auth, as this will ban my IP instead of the botnet’s IP’s.

Is there a way of preserving the hosts IP and passing that from the UTM to the email server or is there a way of letting the UTM handle authentication to the email server as a proxy? I seen reference to SMTP authentication, but I am not sure if this will resolve my problem or how to set this up.

I only have IMAP, SMTP and secure SMTP enabled. POP3 is not enabled.

Cheers,

Richard



This thread was automatically locked due to age.
Parents
  • 0

    I have since discovered that an old account which was disabled, was compromised and there is a botnet trying to send mail from this account. I have removed the country blocking and changed the NAT rule for ESMTP to allow only connections from the internal network. This now means that email can’t be sent from my mail server externally, unless connected to the VPN. Does anybody know of an effective solution to getting around this problem? The account in which the botnet is trying to use, is disabled and I even changed the password on it just to be safe, but the botnet is hitting the server every second from several different IP’s unless I restrict ESMTP to the internal network / enable country blocking. I would prefer not to use country blocking as this is having a knock-on affect with other services and I really do not want to have to create loads of exceptions just to block one service!

  • 0 in reply to RichardHughes1

    You can still utilize Country Blocking and have certain exceptions for that country being blocked. That might be a solution until someone with more experience with mail behind the UTM can provide something better.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Thank you for getting back to me and with your suggestion. I am not quite sure how to achieve that as I can only see the option for blocking countries either being All, From, To or Off. When I go to create an exception, it only allows me to create an exception for a service or list of services. I don't seem to have the option to use country blocking for only one service if that makes sense? Unless this is achieved in some other way?

  • 0 in reply to RichardHughes1

    Right next to the Country Blocking tab is the Exceptions tab at the top.  You select your country in the checkbox window to the left, then add your exception (host(s) and/or service(s) ) that you want to be applied to that country or countries (if you selected multiples).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Ha, genius! I didn’t think of doing it that way, I’ll do that now!

    Cheers,

    Richard

Reply Children
No Data
Unfiltered HTML