How to block users so only our ip and webmail can be used for authentication for mail sending

Discussion regarding the Standard version.
Post Reply
aloksharma2k27
Posts: 5
Joined: Thu Aug 01, 2019 9:27 am

How to block users so only our ip and webmail can be used for authentication for mail sending

Post by aloksharma2k27 » Fri Sep 18, 2020 5:53 am

hello ,
we want to control malicious user (sending mails by authenticating remotely) activity and we have a static ip on our office LAN.

now i tried smtp -> properties -> inbound -> ip control restrictions-> denied all except, but by doing this all our incoming mails from other mail servers also got blocked (like someone sending from gmail, yahoo etc etc).

I just want the outgoing mails to be restricted is their any option for that? so only our users from a particular ip can connect with mailenable and all other will be denied access?

warm regards

MailEnable-Ian
Site Admin
Posts: 9447
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block users so only our ip and webmail can be used for authentication for mail sending

Post by MailEnable-Ian » Mon Sep 21, 2020 1:21 am

Hi,

Just to clarify your trying to restrict SMTP relaying so that only privileged IP addresses are granted relay rights to send outbound emails?
now i tried smtp -> properties -> inbound -> ip control restrictions-> denied all except, but by doing this all our incoming mails from other mail servers also got blocked (like someone sending from gmail, yahoo etc etc).
For the above option to be effective you would need to have a firewall or spam gateway in place, where the gateway filters the inbound emails and then forwards to the MailEnable server. You can then set the option to only allow inbound access from the gateway and deny everything else. You would also need to change your MX records to point to the gateway though.
Regards,

Ian Margarone
MailEnable Support

aloksharma2k27
Posts: 5
Joined: Thu Aug 01, 2019 9:27 am

Re: How to block users so only our ip and webmail can be used for authentication for mail sending

Post by aloksharma2k27 » Tue Oct 20, 2020 6:39 am

yes, basically wants to allow only users authenticating from outlook and webmail (with only privileged ips) . I am not sure how to use gateway setup, can you guide me a bit more. we are under brute force from random ips and sick & tired at this point, if we can even restrict users client to outlook it would be a big help.

also want to know if any version of webmail provides two factor auth to mitigate attackers, so if some user connect from any other client they get a otp or secure link to whitelist the system before use?

regards

aloksharma2k27
Posts: 5
Joined: Thu Aug 01, 2019 9:27 am

Re: How to block users so only our ip and webmail can be used for authentication for mail sending

Post by aloksharma2k27 » Wed Oct 21, 2020 8:15 am

Maybe i was not clear in my description, here is the sample smtp logs of brute force on our mail server:

Code: Select all

10/21/20 00:00:03	SMTP-IN	DCD1960053004A1CA76EEDD807773705.MAI	1456	150.107.120.36	QUIT	QUIT	221 Service closing transmission channel	42	6		
10/21/20 00:00:06	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59			220 mail.jajoogroup.com ESMTP MailEnable Service, Version: 10.25-- ready at 10/21/20 00:00:06	95	0		
10/21/20 00:00:06	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	EHLO	EHLO [114.143.37.59]	250-jajoogroup.com [114.143.37.59], this server offers 5 extensions	239	22		
10/21/20 00:00:07	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	STARTTLS			24	10		
10/21/20 00:00:07	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	STARTTLS	STARTTLS		24	10		
10/21/20 00:00:08	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	EHLO	EHLO [114.143.37.59]	250-jajoogroup.com [114.143.37.59], this server offers 4 extensions	130	22		
10/21/20 00:00:08	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	AUTH	AUTH LOGIN	334 VXNlcm5hbWU6	18	12		
10/21/20 00:00:08	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	AUTH	{blank}	334 UGFzc3dvcmQ6	18	46	*************@ourservermail.com	
10/21/20 00:00:09	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	AUTH	IWpham9vZ3JvdXBAMTIzI2phaXB1cg==	535 Invalid Username or Password	34	34	*************@ourservermail.com	
10/21/20 00:00:09	SMTP-IN	2989DCC9AF6A47BE820AD72E181DBCAA.MAI	1724	114.143.37.59	QUIT	QUIT	221 Service closing TLS SSL transmission session	50	6	*************@ourservermail.com	
10/21/20 00:00:50	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82			220 mail.jajoogroup.com ESMTP MailEnable Service, Version: 10.25-- ready at 10/21/20 00:00:50	95	0		
10/21/20 00:00:50	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	EHLO	EHLO [109.165.234.82]	250-jajoogroup.com [109.165.234.82], this server offers 5 extensions	240	23		
10/21/20 00:00:51	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	STARTTLS			24	10		
10/21/20 00:00:51	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	STARTTLS	STARTTLS		24	10		
10/21/20 00:00:51	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	EHLO	EHLO [109.165.234.82]	250-jajoogroup.com [109.165.234.82], this server offers 4 extensions	131	23		
10/21/20 00:00:51	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	AUTH	AUTH LOGIN	334 VXNlcm5hbWU6	18	12		
10/21/20 00:00:51	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	AUTH	{blank}	334 UGFzc3dvcmQ6	18	46	*************@ourservermail.com	
10/21/20 00:00:52	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	AUTH	IWpham9vZ3JvdXBAMTIzI2phaXB1cg==	535 Invalid Username or Password	34	34	*************@ourservermail.com	
10/21/20 00:00:52	SMTP-IN	ABDEDB6E4A2B467CB79234514DE5308E.MAI	1748	109.165.234.82	QUIT	QUIT	221 Service closing TLS SSL transmission session	50	6	*************@ourservermail.com	
10/21/20 00:01:34	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11			220 mail.jajoogroup.com ESMTP MailEnable Service, Version: 10.25-- ready at 10/21/20 00:01:34	95	0		
10/21/20 00:01:35	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	EHLO	EHLO [87.202.30.11]	250-jajoogroup.com [87.202.30.11], this server offers 5 extensions	238	21		
10/21/20 00:01:35	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	STARTTLS			24	10		
10/21/20 00:01:35	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	STARTTLS	STARTTLS		24	10		
10/21/20 00:01:35	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	EHLO	EHLO [87.202.30.11]	250-jajoogroup.com [87.202.30.11], this server offers 4 extensions	129	21		
10/21/20 00:01:36	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	AUTH	AUTH LOGIN	334 VXNlcm5hbWU6	18	12		
10/21/20 00:01:36	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	AUTH	{blank}	334 UGFzc3dvcmQ6	18	46	*************@ourservermail.com	
10/21/20 00:01:37	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	AUTH	IWpham9vZ3JvdXBAMTIzI2phaXB1cg==	535 Invalid Username or Password	34	34	*************@ourservermail.com	
10/21/20 00:01:37	SMTP-IN	7C38D4DFAE68480A90B3520276125BF0.MAI	1688	87.202.30.11	QUIT	QUIT	221 Service closing TLS SSL transmission session	50	6	*************@ourservermail.com
from what i understand is someone is using proxy ips to randomize location and doing a brute force on our server, and in past month they had become successful too and sent so much spam mails that our server went into spam abuse list.

so what i simply want is when a user is sending ehlo/auth request to connect with mail server, we only allow privileged ip so unknown users cannot connect and send outbound spams, if mail enable have this functionality please tell me how to add restrictions or if their is a documentation i am ready to implement my own extension logic [i know c# very well].

Post Reply