3
SM 8504: sometimes "Denial of Service (DoS)" is triggered by Outlook MAPI users. This never happened with the old version of SM
Problem reported by Gabriele Maoret - SERSIS - 4/18/2023 at 11:38 PM
Resolved
In the "new" SmarterMail (v.8504) sometimes "Denial of Service (DoS)" (Default DoS rule) is triggered by Outlook MAPI users. This never happened with the old version of SmarterMail.


This appens if I have this rule active with the standard attributes (see this image):



This is an example of what I find in the "IDS Blocks" list:


Note that this happens in an ON PREMISE installation where both the server and the users are inside the corporate network and therefore each user has his own separate internal LAN IP, as you can see in this image:


I guess once a bunch of different users connect to a Cloud server from a LAN behind NAT with the same single public IP, this problem will only get worse...



This is really annoying because users complain that Outlook keeps logging out...
They notice because Outlook starts asking for username and password and doesn't stop until the blocked IP is deleted from the "IDS Blocks" list.

I had to raise the "Connection Before Block" parameter to make sure this doesn't happen too often, but since it NEVER happened before I wonder if this isn't a BUG of the new version of SmarterMail.

Furthermore I fear that with this parameter too high the protection against real DoS attacks becomes too light.
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

11 Replies

Reply to Thread
1
Brian Bjerring-Jensen Replied
 I changed the parameter to 1 minute and 100 on the threshold.
A DoS means a lot of connections very rapidly and this has stopped local users from getting caught in the filter.

But yeah never happened on 8451 with default settings..
0
Gabriele Maoret - SERSIS Replied
Hi Brian!

I'll try setting it up like you did and see what happens...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Gabriele Maoret - SERSIS Replied
For the moment it seems to work... At least with this specific server where each user has his own separate IP.

I'm still worried, because when I'll upgrade our main CLOUD server there will be dozens of clients connecting simultaneously from the same public IP (because each customer will have dozens of users behind NAT and therefore only one IP for his entire organization).
I'm afraid that in this case the "1 minute/100 connections" setting may still cause false positive triggers of the DoS protection and consequently a lot of customer complaints...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Brian Bjerring-Jensen Replied
What about whitelisting that specific IP from the cloud server??
0
Gabriele Maoret - SERSIS Replied
IP whitelisting doesn't solve this problem: the DoS rule is triggered even if the IP is whitelisted (I don't know if it's on purpose or not - is it a BUG?).

Also, some customers don't have a static IP, so it's not feasible for them to whitelist the IP...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
2
Kyle Kerst Replied
Employee Post
I do see a development task relating to IDS rules being triggered when they should not be, and this is likely our root cause here. Please stand by and we'll keep you posted as we find out more.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Thomas Lange Replied
I already mentioned this inside another community thread: We noticed IDS/DoS blocking/rules and blocking server-access.... currently only a few Outlook/MAPI-users, but more and more eMClient/EWS-protocol users are reporting/complaining that they get the auth-dialog displayed by eMClient. In case there is a fix available I could need it for our SmarterMail server, too.
0
Gabriele Maoret - SERSIS Replied
Hi Thomas! I don't have emClient customers, but maybe this is the same that my Outlook/MAPI customers...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
Vahn Babigian Replied
This issue was brought up on the "SmarterMail Build 8496 (Apr 6) In-Production Issues" thread. I have had on open ticket on the issue since 4/10. The only work around we found was deleting the DoS IDS altogether. 
0
Ron Raley Replied
Kyle, checking in to see if this issue was fixed on the latest build?
2
Employee Replied
Employee Post
Hi all, 

This issue was resolved in Build 8510. If you're still having trouble on this build, please submit a ticket so we can review directly. 

Reply to Thread