Password Brute Force by Password
Question asked by Gary P - 4/10/2024 at 7:05 AM
We see these in the IDS blocks. Often trying users who don't even exist (i.e randomname@legitimatedomain.con), can we find more info in the logs, if so where? as I suspect they may be originating from one IP and we would wish to block that IP, if that is the case, or is this not something we should worry about and just put it down to expected behaviour  and be happy that Smartermail protection is working.

We have settings at 20 attempts in a 10 minute period , blocking for ½ hour.

Any thought or comments would be appreciated.

7 Replies

Reply to Thread
J. LaDow Replied
Those type of attacks are usually distributed across hundreds of compromised devices - rarely do they come from one single IP, and additionally, SM's IP detection rule would fire if it was a single.
MailEnable survivor / convert --
AWRData Replied
It is pretty much expected behavior.  Between malicious probes and "research" probes, you will see a lot of traffic which is not legitimate email.  Generally, white-hat services will not try passwords against you, however.  On my main infrastructure (running sendmail,) I collect SMTP AUTH attempts and wind up blocking wide swaths of IPs in my border firewall.  In fact, I block entire countries and tell my customers who might be traveling to use a VPN (I will even provide one for free, if needed.)  Sometimes I have to whitelist, and I prefer whitelisting a couple of IPs in a /16 or /8 versus the exposure of the full IP block.
Douglas Foster Replied
Some recommendations, if you can implement a second server:

1) Create an inbound gateway.
  • Implement an incoming gateway, separate from your primary mail store server.  
  • Configure the IDS rule for "Password Brute Force by IP" to trigger after 1 failure, since no one but the admins should ever log onto this machine, and they can log onto the console if remote access is locked out.    This rule turns the machine into a honeypot -- after login failures are detected, unauthenticated delivery attempts will be blocked as well.   Set the timeout value to as large a number as you want (unit of measure is seconds).
  • SMTP port 25 should be configured in "TLS" mode to support optional encryption using STARTTLS.
  • Disable other ports as they are unused, and block them at your firewall for good measure.
2) DNS (If the MX is getting its own public IP address):
  • Update your MX record to reference the incoming gateway only.
  • If you want to allow bounce messages from the incoming gateway, add its external address to your SPF record.
3) On the main server:
  • If  you allow remote IMAP/POP clients, migrate them to port 587, using authenticated SMTP with mandatory encryption.)  Note that in SM port setup, "SSL" mode means mandatory encryption, while optional encryption with STARTTLS is "TLS" mode.   Outlook uses the same terms.
  • For good measure, configure the options in "Settings... Protocols" to require prevent weak authentication.
3) On your firewall:
  • Permit incoming access on port 25 to your incoming gateway.
  • Block access to incoming port 25 on your main server, since it is no longer needed.
  • You could even continue using a single public IP address, by NATting port 25 to the MX and keep all other ports NATted to the main server.  
  • If you want to block bounce messages from the incoming gateway, disable outbound access from that server to outgoing port 25.
Patrick Jeski Replied
@Douglas Foster, "Note that in SM port setup, "SSL" mode means mandatory encryption, while optional encryption with STARTTLS is "TLS" mode."

Wait, SSL and TLS in SM Port Setup (Bindings) don't line up with SSL and TLS, but simply refer to whether STARTTLS is used? I read the help and a KB article, but it's not clear whether setting a port for SSL when my server has only TLS enabled will work.
Douglas Foster Replied
You understand my assertion correctly, that it has nothing to do with the ciphersuites configured on  your server.    But you can test to prove me right or wrong.   Set up a temporary listener on a non-standard port such as 588 or 12345, then configure IMAP or POP test connections from Outlook or your favorite email client. Newer versions of Outlook seem to be labelled unamiguously ("SSL/TLS" for mandatrory, and "STARTLS" for optional.")   Once you have test results, you can develop a plan to optimize your client connections using standard ports.
Zach Sylvester Replied
Employee Post
Hi there,

I wanted to let you know that I submitted a feature request to the developers to modify the translations for SSL and TLS to SSL/TLS and StartTLS respectively. This change would make things easier for everyone to understand.

When you select SSL for IMAP, for instance, it's actually using IMAPS which is using TLS. It's common for people to think that the SSL option only uses SSL, which is deprecated. However, that is not true. It uses whatever cipher suites are enabled on the host machine.

I hope this clears things up.

Best regards,
Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Patrick Jeski Replied
Thanks Zach! After testing as Doug suggested, if it turned out as he said, I was gonna be submitting a ticket for that exact thing. 

Reply to Thread