Hi: I have both Fortimail devices and a Fortigate Firewall. My Fortimails are in gateway mode and server mode. On the gateway mode Users authenticate via Web Browser to view the Quarantined email. On the Fortigate I allow web access, POP and Imap only from Canada. I need to allow SMTP from everywhere so mail can send to the Fortimail. I do not need SMTP authentication other than through the Web on the gateway mode. My Fortimail is bombarded with SMTP Auth Reject from all sorts of countries. Unfortunately the Fortigate does not have an app SMTP AUTH so I cannot restrict this to Canada. I would think Fortinet might have a way to prevent brute force authorization attempts to the device. I have scanned the forums etc. and see no way to prevent this. If I locked out countries on my Fortigate they seem to find new countries to attack from. Does anyone have any suggestion to lock this activity out?
Thanks,
Scott
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Scott,
You cannot really block the SMTP auth attempts as they are scripted attempts from, as you already noticed, all sorts of countries.
The best way to do it is to block the connection as soon as it occurs.
I believe FortiMail has something like a rate limiting in general that you could explore, but the less a potential attacker gets into the network, the better.
On FortiGate you can use a thread feed and input one of the sites that keep updated "bad IPs" that are known to do this kind of thing. Add this and when it is properly read, create a new firewall policy with the thread feed as source address list - put it to deny with service = ALL.
Assuming that the productive traffic is not coming from these IPs, you should be addressing most of these.
On FortiMail you can also include the SPF filtering as well as sender reputation to have these classified as spam more likely. These however can affect valid productive sources as productive sources do not necessarily configure their mail server correctly, hence you won't see mails from them anymore. Be careful with these settings. A thread feed, or blocking at firewall level is the most efficient way.
Best regards,
Markus
Hi Scott,
From the FML side, you can use the 'Authentication Reputation' feature in order to detect the unwanted IPs trying to authenticate and temporarily block them.
The 'Mail' option applies to this type of authentication attempts, so make sure it is enabled.
Security > Authentication Reputation > Setting > select 'enable' & 'mail'
In most cases however, the most effective solution to reduce the number of these authentication attempts is to disable the plain text authentication on FML.
As it is not recommended to send credentials unencrypted, this will also increase your security and drastically reduce these authentication failures, since most invalid authentication attempts will be unencrypted.
- Before disabling plain text authentication, please verify that this change will not affect any of your systems:
# config sys mailserver
# set smtp-auth disable
# end
Sincerely,
Georgios
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.