After the issuance of the initial EHLO/HELO, & if you recall in SMTP protocol, after the client has established it's "hello", the SMTP server will provide it's supported features and functions like TLS & SMTP-AUTH to the external mailclient.
With SMTP-AUTH, you have to be cautious on the impact that SMTP-AUTH will present. Once a Chinese hacker has found that your SMTP-server supports SMTP-AUTH, they will try a millions tries at hacking a passwords for a email user.
NOTE: Yes, they don't even try to hide the fact that they are trying.
So you will find hundreds, if not thousands of failed SMTP-AUTH logins in your logs, if you log this activity. This shouldn't be of a big concern if your email users have secured passwords, but why take that chance if you don't need SMTP-AUTH enabled to begin with.
If you don't need SMTP-AUTH , it's best to just flat out disable it. I will show you howto for the email-security gateway Fortimail.
1st we use mxtoolbox smtp diagnostic. http://mxtoolbox.com/
MXtoolbox will show you what your SMTP-server sends to clients after a simple extended HELLO known as a EHLO. It will give an ideal of how your initial SMTP banner looks to the world.
(before )
As you can see AUTH is provided to the client and this Fortimail support PLAIN MD5 & CRAM-MD5
Now if we want to disable this, the cli command set smtp-auth disable under config sys mailserver, should do the trick.
( disabling SMTP -AUTH authentication )
( post check afterwards using mxtoolbox again )
I hope this helps you on SMTP-AUTH checking and control
NOTE: you could write a custom IPS rule to block src ip_address based on AUTH failures or the number of time they access.
(snort rule )
alert tcp $SMTP_SVRS 25 -> $EXTERNAL_NET any ( msg:"SMTPAUTH AUTH LOGON Failed Attempts"; flow:from_server,established; flags:PA; content:"Error: authentication failed"; nocase; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:100013; rev:2; )
(fortigate ips )
F-SBID ( --name SID100013; --protocol tcp; --src_port 25 ; --flow from_server,established; --tcp_flags PA; --content "Error: authentication failed"; --no_case; --revision 2; )
FWIW: I typically just GEO block countries that exhibits high SMTP AUTH abuse ( korea/china/turkey/africa/etc.... ) and when I have a requirement for supporting SMTP-AUTH on a mail gateway YMMV
I 've also use scripts that parse the fortimail logs to grab repeat offenders and then add them to a blacklist firewall policies that's at the top of my firewallpolicy
(snort rule )
alert tcp $SMTP_SVRS 25 -> $EXTERNAL_NET any ( msg:"SMTPAUTH AUTH LOGON Failed Attempts"; flow:from_server,established; flags:PA; content:"Error: authentication failed"; nocase; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:100013; rev:2; )
(fortigate ips )
F-SBID ( --name SID100013; --protocol tcp; --src_port 25 ; --flow from_server,established; --tcp_flags PA; --content "Error: authentication failed"; --no_case; --revision 2; )
FWIW: I typically just GEO block countries that exhibits high SMTP AUTH abuse ( korea/china/turkey/africa/etc.... ) and when I have a requirement for supporting SMTP-AUTH on a mail gateway YMMV
I 've also use scripts that parse the fortimail logs to grab repeat offenders and then add them to a blacklist firewall policies that's at the top of my firewallpolicy
YMMV
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- Socpuppets ---dot---com
^ ^
=( $ $ )=
@
/ \
Thank you for this info !
ReplyDelete