Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kloby
New Contributor

SMTP Auth Failure?

I have FortiMAil 100c in Gateway mod with Exchange2007. How to block or is there some option to limit wrong SMTP auth for mail accounts on fortimail ?
2 Solutions
Carl_Windsor_FTNT

It is not entirely true that you can't ban IP sources, albeit temporarily.  In 5.3, we added SMTP authentication failure tracking.  To configure:   config system security authserver       set status [enable, disable, monitor-only] end   It uses a variety of adaptive factors, similar to our sender reputation feature to detect and block brute forcing (not just consecutive failures) and temporarily locks out (tarpitting) the user.

 

Carl

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

NotMine

Hello Carl,

 

Thank you very much for your response, it's great news! I've just tested it in my lab, and it seams to be working just fine! :)))

 

However... :) Can you please point me to some documentation or something that would help me understand this feature better? Can I monitor it in the GUI (I already saw the 'diag system authserver scores')? Can I alter the timeout period? Stuff like that, which would help the end customer using this great feature.

 

Cheers,

Slavko

NSE 7

All oppinions/statements written here are my own.

View solution in original post

NSE 7 All oppinions/statements written here are my own.
9 REPLIES 9
Bromont_FTNT
Staff
Staff

Can you elaborate? If someone authenticates with wrong credentials on the Fortimail relay will be denied.
emnoc
Esteemed Contributor III

1s question do you need or expect any SMTP auth? ( 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 ) Yes no, just disable it in your mail profile? Unless your offering mali-relay to various src ip_address, than I would disable SMTP-auth imho As soon as you have SMTP authentication enable, than you will get a rash of dictionary attacker trying everything from admin, post,postmaster administrator, root , sales, info, etc...... you get the picture. Bad thing about this, the fortimail has no way to ban these src ip_address unless you use a fortigate and a some custom IPS rule. I wish they would incould some type of brute-force monitor and after a single address failed SMTP-AUTH like 20+ times in X , than you ban them like with a IPS quarantine ip_address does.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kloby
New Contributor

Thanks for replay, Can you tell me where else can I check that SMTP auth is not enabled, I find it only here (attachment)? And yes it would be nice to have some kind notification that somebody is trying to bruteforce, else you must watch/filter big log files to find something is wrong. :(
emnoc
Esteemed Contributor III

I' m re-writing and moving my blog around, but take a look at this. I push this out since I knew you or another will run across the same issue. http://socpuppet.blogspot.com/2014/07/howto-disable-smtp-auth-support.html FWIW; I don' t think the ip/access-policy is where/what enables the SMTP-AUTH but you can check. If you have a fortigate, I would write a SMTP-AUTH rule and block by tracking the server auth-failures and the destination address. This would give you a piece of mind and protection from any brute/dictionary or hybrid based attacks. note: One more auth that can be disable in the same fashion is ; config sys mailserver set smtp-auth-smtps disable end I believe that take care of the SSMTP port 465; cat services | grep smtp smtp 25/tcp mail ssmtp 465/tcp smtps # SMTP over SSL Check and confirm by using mxtoolbox as outline in that blog.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
NotMine
Contributor II

To revamp this post: what if I need SMTP authentication for my outside clients (people who are sending email from their mobile devices etc.), and disabling it is not an option?

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
Carl_Windsor_FTNT

It is not entirely true that you can't ban IP sources, albeit temporarily.  In 5.3, we added SMTP authentication failure tracking.  To configure:   config system security authserver       set status [enable, disable, monitor-only] end   It uses a variety of adaptive factors, similar to our sender reputation feature to detect and block brute forcing (not just consecutive failures) and temporarily locks out (tarpitting) the user.

 

Carl

Dr. Carl Windsor Field Chief Technology Officer Fortinet

NotMine

Hello Carl,

 

Thank you very much for your response, it's great news! I've just tested it in my lab, and it seams to be working just fine! :)))

 

However... :) Can you please point me to some documentation or something that would help me understand this feature better? Can I monitor it in the GUI (I already saw the 'diag system authserver scores')? Can I alter the timeout period? Stuff like that, which would help the end customer using this great feature.

 

Cheers,

Slavko

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
Wayne11

 

I would also like to get more information about this. Anyone know if or where Fortinet has a documentation?

 

emnoc
Esteemed Contributor III

In 5.3, we added SMTP authentication failure tracking.

 

FWIW;  that  feature would not be available in a FML100C model.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors