This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way to blacklist a (potentially large) number of IPs in SMTP profile

My problem is rather simple: i would like a way to prevent a (potentially large) number of IPs to connect to the SMTP server.

My first attempt was to create a "blackhole" network group in the firewall and all IPs there. This, unfortunately, does not work because of a UTM 9 design issue: it will automatically create global, invisible "accept" rule to from any IP to all local active proxy. This means that, as soon as you're using a reverse proxy (HTTP(S), SMTP, POP3), you CANNOT block any IP any more using the firewall.

It would also have created a rather large number of network block "polluting" the global list, making it harder to manage.

My second approach was to setup a local DNSBL and add it to the SMTP profile. This works much better but it creates an additional failure point and forces me to use two servers (without counting redundancy) just for that.

So, is there a better way to handle that ? Ideally, I'd love to see a way to add an additional local DNSBL to UTM9 but I don't think that is possible.

Note that, when I mean "a large number of IPs", I mean that I would like to be able to block whole AS (OVH, I'm looking at you!) so the actual definition of that master list will not be THAT big: a few hundred of entries at most.

Bonus cookie if anyone can point me to a DNSBL that simply allows me to get a positive by AS (like countries.nerd.dk let you do per country).



This thread was automatically locked due to age.
  • Instead of a Firewall rule, use a DNAT instead.  Look at #2 in Rulz to better understand why that works.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA