Back to Community Threads
"Block authentication by country" makes MS Outlook Mobile unusable: its connections come from foreign countries (Microsoft's fault...)
Problem reported by Gabriele Maoret - SERSIS - 11/18/2023 at 3:14 AM
Submitted
Scenario:

I set my SmarterMail domain to accept connections ONLY from Italy.
At this point my users who use MS Outlook Mobile are no longer able to connect to the server, this is because Microsoft passes MS Outlook Mobile connections through its Azure datacenters, many of which are abroad... (see also here: https://portal.smartertools.com/community/a95673/new-outlook-version.aspx)

How should we behave to solve this problem?
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 7 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 6 on-premise for customers who prefer to have their mail server in-house)
Use the native apps instead of the shitty outlook app.
Gabriele Maoret - SERSIS Replied
11/18/2023 at 3:27 AM

I understand your point of view and, in general, I agree with it.

But it's not always that easy...

We have hundreds of different domains on our SmarterMail servers, and almost every domain corresponds to a different customer.
Unfortunately some of these customers WANT to use MS Outlook Mobile and there is no way to change their minds...


Furthermore, we don't know what will happen in the future with Outlook for Windows and/or MAC: what will happen if in the near future Microsoft decides to use the same strategy here too?
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 7 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 6 on-premise for customers who prefer to have their mail server in-house)
Ohh they will. Its a matter of sanitizing your email for info/value.

Private clouds  and not using outlook on laptops/phones is the way forward. Tell your clients that they will violate GDPR using the Outlook app.

Then they will understand and obey :)
D
Douglas Foster Replied
11/18/2023 at 1:36 PM
Nine and emclient are non-invasive client alternatives to Outlook mobile

Other options:   (1) Tune your country blocking to be less restrictive .   China is the biggest problem, and I would hope that they are not routing traffic into the Great Firewall.

(2) Get a firewall that can do country blocking.  The attacks I have seen have used port 25 SMTP, while Outlook should be able to connect on port 443 using mapi or ews or was.
On our firewalls 56% of crap blocked is from the US.

China is less than 8%.

INdia, Romania, Bulgaria and Brazil is a lot worse.
Gabriele Maoret - SERSIS Replied
11/19/2023 at 1:20 AM

  1. option: that can be a better-than-nothing solution, but:
    1. how can I know all the countries to "unblock" for MS Outlook Mobile? do you have a list?
    2. this anyway expose the server for attacks that came from the contries listed at point a., and (as Brian Bjerring-Jensen said)  a lot of attacks come from USA and Europen countries too...

  2. option: that can't do, because if I block port 25 (or/and 465) from (example) China with a firewall, then I block even the legitimate emails that came from there (and we have a lot of customers that have business with China...)
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS
Currently manages 7 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 6 on-premise for customers who prefer to have their mail server in-house)
Nouman Saeed Replied
11/19/2023 at 2:25 AM
It also keeps on loading forever and not taking me anywhere.
Nomi
D
Douglas Foster Replied
11/19/2023 at 4:32 AM
The block-by-country feature was added because of a specific problem:  password guessing attacks using SMTP AUTH on port 25 from servers in China.    Because my MX is an inbound gateway, no legitimate sender should be trying to log into it, so I was able to use it as a honeypot.    I stopped counting at 20,000 unique IP addresses that were involved in the attack, which persisted over an extended period.    This campaign was detected and reported by multiple users on this forum.    All of our other spam problems pale in comparison.

The block-by-country feature may be useful for other contexts, but you have to consider the risks of cloud-based data centers that are replicated all over the world for redundancy.   If I remember correctly, one of my vendors has data centers in the US, Ireland, and Singapore.  My traffic usually goes through the U.S. data center, but the others are backup if the U.S. center has problems.

My organization also blocks port 443 from foreign countries, for other reasons.  So I don't know if China is cranking up similar attacks on port 443 or other ports, but we should probably expect it. 
M
Mark Johnson Replied
1/16/2024 at 5:07 PM
Does it log that an IP is "auth blocked by country"? 
I'm still seeing login attempts (unsuccessful) from China despite it being blocked?
Or will it only block login if the attempt is successful?

[2024.01.17] 10:10:55.418 [59.46.193.187][47860066] Country code: CN
[2024.01.17] 10:10:58.093 [59.46.193.187][47860066] cmd: EHLO [59.46.193.187]
[2024.01.17] 10:10:59.425 [59.46.193.187][47860066] cmd: AUTH LOGIN
[2024.01.17] 10:11:00.780 [59.46.193.187][47860066] Authenticating as ..
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Key Feature and Version Milestones in SmarterMailSmarterMail
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Webmail Shows an Expired Certificate WarningSmarterMail > Troubleshooting
Setting Up Two-Factor Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Autodiscover and Registry Edits for Outlook and MAPISmarterMail > Desktop and Mobile Synchronization