Back to Community Threads
3
SM 8504: sometimes "Denial of Service (DoS)" is triggered by Outlook MAPI users. This never happened with the old version of SM
Problem reported by Gabriele Maoret - SERSIS - 4/18/2023 at 11:38 PM
Resolved
In the "new" SmarterMail (v.8504) sometimes "Denial of Service (DoS)" (Default DoS rule) is triggered by Outlook MAPI users. This never happened with the old version of SmarterMail.


This appens if I have this rule active with the standard attributes (see this image):



This is an example of what I find in the "IDS Blocks" list:


Note that this happens in an ON PREMISE installation where both the server and the users are inside the corporate network and therefore each user has his own separate internal LAN IP, as you can see in this image:


I guess once a bunch of different users connect to a Cloud server from a LAN behind NAT with the same single public IP, this problem will only get worse...



This is really annoying because users complain that Outlook keeps logging out...
They notice because Outlook starts asking for username and password and doesn't stop until the blocked IP is deleted from the "IDS Blocks" list.

I had to raise the "Connection Before Block" parameter to make sure this doesn't happen too often, but since it NEVER happened before I wonder if this isn't a BUG of the new version of SmarterMail.

Furthermore I fear that with this parameter too high the protection against real DoS attacks becomes too light.
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)

11 Replies

Reply to Thread
1
Brian Bjerring-Jensen Replied
4/18/2023 at 11:59 PM
 I changed the parameter to 1 minute and 100 on the threshold.
A DoS means a lot of connections very rapidly and this has stopped local users from getting caught in the filter.

But yeah never happened on 8451 with default settings..
0
Gabriele Maoret - SERSIS Replied
4/19/2023 at 12:02 AM
Hi Brian!

I'll try setting it up like you did and see what happens...
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
0
Gabriele Maoret - SERSIS Replied
4/19/2023 at 5:02 AM
For the moment it seems to work... At least with this specific server where each user has his own separate IP.

I'm still worried, because when I'll upgrade our main CLOUD server there will be dozens of clients connecting simultaneously from the same public IP (because each customer will have dozens of users behind NAT and therefore only one IP for his entire organization).
I'm afraid that in this case the "1 minute/100 connections" setting may still cause false positive triggers of the DoS protection and consequently a lot of customer complaints...
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
0
Brian Bjerring-Jensen Replied
4/19/2023 at 8:25 AM
What about whitelisting that specific IP from the cloud server??
0
Gabriele Maoret - SERSIS Replied
4/19/2023 at 8:35 AM
IP whitelisting doesn't solve this problem: the DoS rule is triggered even if the IP is whitelisted (I don't know if it's on purpose or not - is it a BUG?).

Also, some customers don't have a static IP, so it's not feasible for them to whitelist the IP...
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
2
Kyle Kerst Replied
4/19/2023 at 9:28 AM
Employee Post
I do see a development task relating to IDS rules being triggered when they should not be, and this is likely our root cause here. Please stand by and we'll keep you posted as we find out more.
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Thomas Lange Replied
4/19/2023 at 9:49 AM
I already mentioned this inside another community thread: We noticed IDS/DoS blocking/rules and blocking server-access.... currently only a few Outlook/MAPI-users, but more and more eMClient/EWS-protocol users are reporting/complaining that they get the auth-dialog displayed by eMClient. In case there is a fix available I could need it for our SmarterMail server, too.
0
Gabriele Maoret - SERSIS Replied
4/19/2023 at 11:26 AM
Hi Thomas! I don't have emClient customers, but maybe this is the same that my Outlook/MAPI customers...
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
1
Vahn Babigian Replied
4/19/2023 at 1:38 PM
This issue was brought up on the "SmarterMail Build 8496 (Apr 6) In-Production Issues" thread. I have had on open ticket on the issue since 4/10. The only work around we found was deleting the DoS IDS altogether. 

 
0
Ron Raley Replied
4/22/2023 at 9:01 AM
Kyle, checking in to see if this issue was fixed on the latest build?
2
Andrea Free Replied
4/25/2023 at 11:13 PM
Employee Post
Hi all, 

This issue was resolved in Build 8510. If you're still having trouble on this build, please submit a ticket so we can review directly. 

Andrea Free
SmarterTools Inc.
877-357-6278
www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Syncing with SmarterMailSmarterMail > Desktop and Mobile Synchronization
Configure eM Client for MAPI & EWSSmarterMail > Desktop and Mobile Synchronization
Autodiscover and OutlookSmarterMail > Desktop and Mobile Synchronization