Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Scott_Cuff
New Contributor

SMTP Auth Failures on Fortimail How to prevent

Hi:  I have both Fortimail devices and a Fortigate Firewall.  My Fortimails  are in gateway mode and server mode.  On the gateway mode Users authenticate via Web Browser to view the Quarantined email.  On the Fortigate I allow web access, POP and Imap only from Canada.   I need to allow SMTP from everywhere so mail can send to the Fortimail.  I do not need SMTP authentication other than through the Web on the gateway mode.  My Fortimail is bombarded with SMTP Auth Reject from all sorts of countries.  Unfortunately  the Fortigate does not have an app SMTP AUTH  so I cannot restrict this to Canada.  I would think Fortinet might have a way to prevent brute force authorization attempts to the device. I have scanned the forums etc. and see no way to prevent this.  If I locked out countries on my Fortigate  they seem to find new countries to attack from.   Does anyone have any suggestion to lock this activity out?

 

Thanks,

Scott

2 REPLIES 2
Markus_M
Staff
Staff

Hi Scott,

 

You cannot really block the SMTP auth attempts as they are scripted attempts from, as you already noticed, all sorts of countries.

 

The best way to do it is to block the connection as soon as it occurs.

I believe FortiMail has something like a rate limiting in general that you could explore, but the less a potential attacker gets into the network, the better.

 

On FortiGate you can use a thread feed and input one of the sites that keep updated "bad IPs" that are known to do this kind of thing. Add this and when it is properly read, create a new firewall policy with the thread feed as source address list - put it to deny with service = ALL.

Assuming that the productive traffic is not coming from these IPs, you should be addressing most of these.

 

On FortiMail you can also include the SPF filtering as well as sender reputation to have these classified as spam more likely. These however can affect valid productive sources as productive sources do not necessarily configure their mail server correctly, hence you won't see mails from them anymore. Be careful with these settings. A thread feed, or blocking at firewall level is the most efficient way.

 

Best regards,

 

Markus

gmichailidis
Staff
Staff

Hi Scott,

From the FML side, you can use the 'Authentication Reputation' feature in order to detect the unwanted IPs trying to authenticate and temporarily block them.
The 'Mail' option applies to this type of authentication attempts, so make sure it is enabled.
Security > Authentication Reputation > Setting > select 'enable' & 'mail'

 

In most cases however, the most effective solution to reduce the number of these authentication attempts is to disable the plain text authentication on FML.
As it is not recommended to send credentials unencrypted, this will also increase your security and drastically reduce these authentication failures, since most invalid authentication attempts will be unencrypted.

 

- Before disabling plain text authentication, please verify that this change will not affect any of your systems:

 

# config sys mailserver
# set smtp-auth disable
# end

 

Sincerely,
Georgios

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors