- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SMTP Auth Failures on Fortimail How to preven...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMTP Auth Failures on Fortimail How to prevent
Hi: I have both Fortimail devices and a Fortigate Firewall. My Fortimails are in gateway mode and server mode. On the gateway mode Users authenticate via Web Browser to view the Quarantined email. On the Fortigate I allow web access, POP and Imap only from Canada. I need to allow SMTP from everywhere so mail can send to the Fortimail. I do not need SMTP authentication other than through the Web on the gateway mode. My Fortimail is bombarded with SMTP Auth Reject from all sorts of countries. Unfortunately the Fortigate does not have an app SMTP AUTH so I cannot restrict this to Canada. I would think Fortinet might have a way to prevent brute force authorization attempts to the device. I have scanned the forums etc. and see no way to prevent this. If I locked out countries on my Fortigate they seem to find new countries to attack from. Does anyone have any suggestion to lock this activity out?
Thanks,
Scott
Labels:
- Labels:
-
FortiMail
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott,
You cannot really block the SMTP auth attempts as they are scripted attempts from, as you already noticed, all sorts of countries.
The best way to do it is to block the connection as soon as it occurs.
I believe FortiMail has something like a rate limiting in general that you could explore, but the less a potential attacker gets into the network, the better.
On FortiGate you can use a thread feed and input one of the sites that keep updated "bad IPs" that are known to do this kind of thing. Add this and when it is properly read, create a new firewall policy with the thread feed as source address list - put it to deny with service = ALL.
Assuming that the productive traffic is not coming from these IPs, you should be addressing most of these.
On FortiMail you can also include the SPF filtering as well as sender reputation to have these classified as spam more likely. These however can affect valid productive sources as productive sources do not necessarily configure their mail server correctly, hence you won't see mails from them anymore. Be careful with these settings. A thread feed, or blocking at firewall level is the most efficient way.
Best regards,
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott,
From the FML side, you can use the 'Authentication Reputation' feature in order to detect the unwanted IPs trying to authenticate and temporarily block them.
The 'Mail' option applies to this type of authentication attempts, so make sure it is enabled.
Security > Authentication Reputation > Setting > select 'enable' & 'mail'
In most cases however, the most effective solution to reduce the number of these authentication attempts is to disable the plain text authentication on FML.
As it is not recommended to send credentials unencrypted, this will also increase your security and drastically reduce these authentication failures, since most invalid authentication attempts will be unencrypted.
- Before disabling plain text authentication, please verify that this change will not affect any of your systems:
# config sys mailserver
# set smtp-auth disable
# end
Sincerely,
Georgios
Related Posts
- put ha cluster in maintenance mode... 297 Views
- What is the feature of Fortimail... 555 Views
- SMTP Auth Failures on Fortimail... 3610 Views
- Fortimail SMTP AUTH Failure From clients... 3888 Views
- Technique to block/quarantine phishing emails? 396 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.