Enable domain's SMTP auth setting for local deliveries bypasses IDS Rules

As the title suggests, when enabling "Enable domain's SMTP auth setting for local deliveries" a user is able to repeatedly fail authentication without being blocked by IDS provided that there is a delivery attempt after the initial auth.

This completely defies the purpose of IDS blocks and opens the server up for brute force attacks.

Current server is setup as follows

3 failed login attempts via smtp over a 20 minute period results in a 20 minute block

Below are the logs

[2019.01.15] 13:34:17 [REDACTED][2773456] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:17 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:17 [REDACTED][2773456] connected at 1/15/2019 1:34:17 PM
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: EHLO ROG
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:18 [REDACTED][2773456] Authenticating as REDACTED
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 535 Authentication failed
[2019.01.15] 13:34:18 [REDACTED][2773456] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:18 [REDACTED][2773456] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:18 [REDACTED][2773456] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:18 [REDACTED][2773456] disconnected at 1/15/2019 1:34:18 PM
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:54 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:54 [REDACTED][61190225] connected at 1/15/2019 1:34:54 PM
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: EHLO ROG
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:54 [REDACTED][61190225] Authenticating as REDACTED
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 535 Authentication failed
[2019.01.15] 13:34:54 [REDACTED][61190225] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:54 [REDACTED][61190225] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:54 [REDACTED][61190225] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:54 [REDACTED][61190225] disconnected at 1/15/2019 1:34:54 PM
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 220 REDACTED Tue, 15 Jan 2019 13:34:59 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:34:59 [REDACTED][32442547] connected at 1/15/2019 1:34:59 PM
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: EHLO ROG
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:34:59 [REDACTED][32442547] Authenticating as REDACTED
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 535 Authentication failed
[2019.01.15] 13:34:59 [REDACTED][32442547] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:34:59 [REDACTED][32442547] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:34:59 [REDACTED][32442547] rsp: 550 Authentication is required for relay
[2019.01.15] 13:34:59 [REDACTED][32442547] disconnected at 1/15/2019 1:34:59 PM
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:02 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:02 [REDACTED][48205808] connected at 1/15/2019 1:35:02 PM
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: EHLO ROG
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:02 [REDACTED][48205808] Authenticating as REDACTED
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 535 Authentication failed
[2019.01.15] 13:35:02 [REDACTED][48205808] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:02 [REDACTED][48205808] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:02 [REDACTED][48205808] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:02 [REDACTED][48205808] disconnected at 1/15/2019 1:35:02 PM
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:18 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:18 [REDACTED][43288795] connected at 1/15/2019 1:35:18 PM
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: EHLO ROG
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:18 [REDACTED][43288795] Authenticating as REDACTED
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 535 Authentication failed
[2019.01.15] 13:35:18 [REDACTED][43288795] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:18 [REDACTED][43288795] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:18 [REDACTED][43288795] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:18 [REDACTED][43288795] disconnected at 1/15/2019 1:35:18 PM
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 220 REDACTED Tue, 15 Jan 2019 13:35:35 +02:00 CAT+2 REDACTED REDACTED
[2019.01.15] 13:35:35 [REDACTED][38139245] connected at 1/15/2019 1:35:35 PM
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: EHLO ROG
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 250-REDACTED Hello [REDACTED]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: AUTH login dGh5c0BhZnJpd29ybGQubmV0
[2019.01.15] 13:35:35 [REDACTED][38139245] Authenticating as REDACTED
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 334 UGFzc3dvcmQ6
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 535 Authentication failed
[2019.01.15] 13:35:35 [REDACTED][38139245] cmd: MAIL FROM:<REDACTED>
[2019.01.15] 13:35:35 [REDACTED][38139245] senderEmail(1): REDACTED parsed using: <REDACTED>
[2019.01.15] 13:35:35 [REDACTED][38139245] rsp: 550 Authentication is required for relay
[2019.01.15] 13:35:35 [REDACTED][38139245] disconnected at 1/15/2019 1:35:35 PM

Jade

https://absolutehosting.co.za

3 Replies

Reply to Thread