Skip to main content
Scott_Cuff
Scott_Cuff
New Member
October 1, 2022
Question

SMTP Auth Failures on Fortimail How to prevent

  • October 1, 2022
  • 2 replies
  • 9620 views

Hi:  I have both Fortimail devices and a Fortigate Firewall.  My Fortimails  are in gateway mode and server mode.  On the gateway mode Users authenticate via Web Browser to view the Quarantined email.  On the Fortigate I allow web access, POP and Imap only from Canada.   I need to allow SMTP from everywhere so mail can send to the Fortimail.  I do not need SMTP authentication other than through the Web on the gateway mode.  My Fortimail is bombarded with SMTP Auth Reject from all sorts of countries.  Unfortunately  the Fortigate does not have an app SMTP AUTH  so I cannot restrict this to Canada.  I would think Fortinet might have a way to prevent brute force authorization attempts to the device. I have scanned the forums etc. and see no way to prevent this.  If I locked out countries on my Fortigate  they seem to find new countries to attack from.   Does anyone have any suggestion to lock this activity out?

 

Thanks,

Scott

2 replies

Markus_M
Staff & Editor
Markus_M
Staff & Editor
October 2, 2022

Hi Scott,

 

You cannot really block the SMTP auth attempts as they are scripted attempts from, as you already noticed, all sorts of countries.

 

The best way to do it is to block the connection as soon as it occurs.

I believe FortiMail has something like a rate limiting in general that you could explore, but the less a potential attacker gets into the network, the better.

 

On FortiGate you can use a thread feed and input one of the sites that keep updated "bad IPs" that are known to do this kind of thing. Add this and when it is properly read, create a new firewall policy with the thread feed as source address list - put it to deny with service = ALL.

Assuming that the productive traffic is not coming from these IPs, you should be addressing most of these.

 

On FortiMail you can also include the SPF filtering as well as sender reputation to have these classified as spam more likely. These however can affect valid productive sources as productive sources do not necessarily configure their mail server correctly, hence you won't see mails from them anymore. Be careful with these settings. A thread feed, or blocking at firewall level is the most efficient way.

 

Best regards,

 

Markus

gmichailidis
Staff
gmichailidis
Staff
October 5, 2022

Hi Scott,

From the FML side, you can use the 'Authentication Reputation' feature in order to detect the unwanted IPs trying to authenticate and temporarily block them.
The 'Mail' option applies to this type of authentication attempts, so make sure it is enabled.
Security > Authentication Reputation > Setting > select 'enable' & 'mail'

 

In most cases however, the most effective solution to reduce the number of these authentication attempts is to disable the plain text authentication on FML.
As it is not recommended to send credentials unencrypted, this will also increase your security and drastically reduce these authentication failures, since most invalid authentication attempts will be unencrypted.

 

- Before disabling plain text authentication, please verify that this change will not affect any of your systems:

 

# config sys mailserver
# set smtp-auth disable
# end

 

Sincerely,
Georgios

    Terms & ConditionsAccessibility statement