Enable domain's SMTP auth setting for local deliveries bypasses IDS Rules
Problem reported by Jade D - January 15 at 4:46 AM
Resolved
As the title suggests, when enabling "Enable domain's SMTP auth setting for local deliveries" a user is able to repeatedly fail authentication without being blocked by IDS provided that there is a delivery attempt after the initial auth.

This completely defies the purpose of IDS blocks and opens the server up for brute force attacks.
Current server is setup as follows
3 failed login attempts via smtp over a 20 minute period results in a 20 minute block
Below are the logs

[2019.01.15] 13:34:17 [REDACTED][2773456] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:17 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:17 [REDACTED][2773456] connected at 1/15/2019 1:34:17 PM
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: EHLO ROG
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:18 [REDACTED][2773456] Authenticating as REDACTED
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 535 Authentication failed
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:18 [REDACTED][2773456] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:18 [REDACTED][2773456] disconnected at 1/15/2019 1:34:18 PM
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:54 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:54 [REDACTED][61190225] connected at 1/15/2019 1:34:54 PM
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: EHLO ROG
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:54 [REDACTED][61190225] Authenticating as REDACTED
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 535 Authentication failed
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:54 [REDACTED][61190225] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:54 [REDACTED][61190225] disconnected at 1/15/2019 1:34:54 PM
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:59 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:59 [REDACTED][32442547] connected at 1/15/2019 1:34:59 PM
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: EHLO ROG
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:59 [REDACTED][32442547] Authenticating as REDACTED
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 535 Authentication failed
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:59 [REDACTED][32442547] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:59 [REDACTED][32442547] disconnected at 1/15/2019 1:34:59 PM
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:02 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:02 [REDACTED][48205808] connected at 1/15/2019 1:35:02 PM
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: EHLO ROG
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:02 [REDACTED][48205808] Authenticating as REDACTED
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 535 Authentication failed
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:02 [REDACTED][48205808] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:02 [REDACTED][48205808] disconnected at 1/15/2019 1:35:02 PM
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:18 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:18 [REDACTED][43288795] connected at 1/15/2019 1:35:18 PM
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: EHLO ROG
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:18 [REDACTED][43288795] Authenticating as REDACTED
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 535 Authentication failed
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:18 [REDACTED][43288795] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:18 [REDACTED][43288795] disconnected at 1/15/2019 1:35:18 PM
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:35 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:35 [REDACTED][38139245] connected at 1/15/2019 1:35:35 PM
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: EHLO ROG
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:35 [REDACTED][38139245] Authenticating as REDACTED
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 535 Authentication failed
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:35 [REDACTED][38139245] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:35 [REDACTED][38139245] disconnected at 1/15/2019 1:35:35 PM


3 Replies

Reply to Thread
0
Jade D Replied
Just checking to see if any of the developers have taken a look at this issue or if I need to log a ticket for this?
0
Employee Replied
Employee Post Marked As Resolution
Hi,
While testing this were you using a different email/password combination each time? Only unique combinations count towards brute force. The idea behind this is that it's fruitless to try and brute force an account by using the same email/password combination each time, if it failed once, it will continue failing. It also helps prevent users using clients from getting locked out when their client's email/password combination is accidentally wrong.
0
Jade D Replied
Hi Alex,

After taking a look at my powershell scripts I can confirm that they were using the same password. I have modified this and made each successful attempt use a new password and confirm that the security features are working as per your description.

Thank you for taking the time to comment on this and advise of this feature - intuitive and well thought of!

Reply to Thread