Tuesday, July 8, 2014

HOWTO disable SMTP-AUTH support "Fortimail"

Here's a quick way for disabling  SMTP-AUTH on a Fortimail .

After the issuance of the initial EHLO/HELO, & if you recall in SMTP protocol,  after the client has established it's "hello", the SMTP server will  provide it's  supported features and functions like TLS & SMTP-AUTH to the external mailclient.

With SMTP-AUTH, you have to be cautious on the impact that SMTP-AUTH will present. Once a Chinese  hacker has found that your SMTP-server supports SMTP-AUTH, they will try a millions tries at hacking a passwords for a email user.

NOTE:  Yes, they don't even try to hide the fact that they are trying.

So you will find hundreds, if not thousands of failed SMTP-AUTH logins in your logs, if you log this activity. This shouldn't be of a big concern if your email users have secured  passwords, but why take that chance if you don't need SMTP-AUTH enabled to begin with.

If you don't need SMTP-AUTH , it's best to just flat out disable it. I will show you howto  for the email-security gateway  Fortimail.

1st we use  mxtoolbox smtp diagnostic. http://mxtoolbox.com/

MXtoolbox will show you what your SMTP-server sends to clients after a simple extended HELLO known as a EHLO. It will give an ideal of how your initial SMTP banner looks to the world.

(before )

As you can see AUTH is provided to the client and  this Fortimail support PLAIN MD5 & CRAM-MD5

Now if we want to disable this, the cli command set smtp-auth disable  under config sys mailserver, should do the trick.

( disabling SMTP -AUTH   authentication )

( post check afterwards using mxtoolbox again  )

I hope this helps you on SMTP-AUTH checking and control

NOTE: you could write a custom IPS rule to block  src ip_address based on AUTH failures or the number of time they access.

(snort rule )
alert tcp $SMTP_SVRS 25 -> $EXTERNAL_NET any (  msg:"SMTPAUTH AUTH LOGON Failed Attempts"; flow:from_server,established; flags:PA; content:"Error: authentication failed"; nocase; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:100013; rev:2; )

(fortigate ips )
F-SBID ( --name SID100013; --protocol tcp; --src_port 25 ; --flow from_server,established; --tcp_flags PA; --content "Error: authentication failed"; --no_case; --revision 2; )

FWIW:  I typically  just GEO block countries that exhibits  high SMTP AUTH abuse ( korea/china/turkey/africa/etc.... )  and when I have a requirement for supporting SMTP-AUTH  on a mail gateway YMMV

I 've also use  scripts  that parse the  fortimail logs to grab repeat offenders and then add them to a blacklist  firewall policies that's at the top of my firewallpolicy


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( $ $ )=
     /  \

1 comment: