Hi all,

Whilst checking the security logs on my actual mailserver (not the Xeams server) I noticed this huge amount of failed SMTP login attempts:

-----
[27/May/2016 07:00:34] SMTP: User model@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:00:40] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:01:44] SMTP: User monica@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:01:50] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:02:55] SMTP: User monika@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:03:01] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:04:07] SMTP: User morgan@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:04:13] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:05:18] SMTP: User move@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:05:24] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:06:28] SMTP: User msg@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:06:34] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:07:40] SMTP: User murray@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:07:46] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:08:51] SMTP: User mysql@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:08:57] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:10:02] SMTP: User nadia@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:10:09] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:11:14] SMTP: User name@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:11:20] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:12:25] SMTP: User napaporn@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:12:31] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:13:37] SMTP: User natalia@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:13:43] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:14:48] SMTP: User net@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:14:54] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:15:59] SMTP: User newman@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:16:05] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:17:11] SMTP: User news@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:17:17] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:18:22] SMTP: User nick@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
[27/May/2016 07:18:28] Failed SMTP login from 192.168.0.14 with SASL method LOGIN.
[27/May/2016 07:19:34] SMTP: User nina@<domain> doesn't exist. Attempt from IP address 192.168.0.14.
-----

This is just a tiny sample, it's been going on for quite some time, with hundreds attempts every day.
The IP 192.168.0.14 is the internal address of my Xeams server, the actual mail server is in the same subnet.
So these 'attacks' (as they seem to qualify to me) do seem to originate from the Xeams server itself.
I ran a MALDET on the Xeams server (Ubuntu 12 LTS) but no hits after a full scan.
The internal Xeams diagnostic also came out clean, all green check boxes.

Is there something I might be overlooking (I'm by no means a Linux connoisseur :) , or is someone or something actually trying to abuse my mail server from my Xeams server?

Thanks!,
Paul.

You are suffering a dictionary attack from "outside", you are getting these message because these users don't exist on your PC.

Hi Dave,

Thanks for your feedback, it indeed looks like some sort of (dictionary / brute force) attack.

I'm not really a network security specialist, I'm weeding through firewall logs to find something relevant.

The weird thing (to me) is that these attempts originate from the internal IP of my Xeams server, according to the log of my actual mail server.

They both are in the same LAN, behind 2 firewalls, a software appliance Sophos UTM and a hardware WatchGuard.

Only port 25 is forwarded / DNAT'd to the internal IP address of the Xeams server.

As soon as I disable the port forwarding, the attack attempts do stop from showing up in my mail server logs.

I then use the SMTP proxy of the Sophos UTM (which is very nice btw & free in the UTM Home Edition), and no more attacks.

I updated the Xeams server (Linux Ubuntu) to the latest release LTS version & patches, same issue afterwards.

What I dont understand is how this attack is able to get through the firewall via port 25 TCP and then originate this dictionary attack from Xeams IP to my actual mail server.

tbh, I will stop using Xeams as long as I haven't figured this out and until I have secured this breach properly.

Thanks, Paul.

Hi Paul

These attacks will get through and there is nothing you can do about it! SMTP works on port 25 and ANYTHING sent to this port will pass through a firewall. If it is an attempted "login" then it will reach you mail server (by way of Xeams) before it is "thrown out" as being incorrect - usually after a set number of retries that you specify. If as in the case I am plagued with someone just send "Syn" requests to Xeams they will appear as "Intrusion detections" and just cause wasted bandwidth while Xeams tries to make sense of them. There is no real way of stopping any of these other than in your case where you are running Linux when there are programs which will modify your firewall setting to "ban" the IP address that is used. There is a freeware program to do this (I can't remember the name as I only use windows) but this would be a solution for you - the length of time that the IP address is "banned" for is something you can set and this would enable you to say after three or so attempts block the IP address for10 to 15 mins. The attacker will of course change the spoofed address BUT as you will be changing it after three attempts they will soon run out of addresses or get bored. This program could intercept the attempts before they reached Xeams again and would just need to read the invalid password attempts log as it's input.  

Hi Dave,

Good idea indeed, I'll try and intercept these attempts at a higher level.

Already figured out some IP ranges that are (still) trying to reach the IP of my Xeams server.

It seems I can (relatively) easily single them out atm and block their range(s) -> xxx.yyy.*.*

Thanks,
Paul.

I ended up using Snort on my firewall to stop such attacks. The email server has a brute force filter, but I cannot use it because it will blacklist the Xeams IP and that stops all communication. You have to catch this on the front end like a firewall. But it would be nice to see Xeams add a new intrusion detection filter for these type attacks.

I use pfsense as my firewall and the pfblocker add-on practically eliminated most attacks since it blocks those countries that cause most of the issues.

True, the brute force filter in Xeams is a nice option to have, where you even can set up the amount of bad password attempt before an IP gets blocked for 10 mins.

But these attacks are not pointed at my Xeams server, those do also occur from time to time, but they're taken care of by the password attack filter & country IP range filter.

The attacks are directed to my mailserver (= not Xeams) where Xeams sends the mails to after scanning, thats what I find so weird, the mailserver logs state this clearly.
And the attacks seem to originate from my Xeams server, the Mailserver log shows the attacks coming from IP 192.168.1.14

Internet <-> Edge Firewall <-TCP 25 DNAT-> Xeams Proxy <-Forward-> Actual Mailserver (not Xeams)
Public IP <-> 192.168.1.254 (Firewall) <-> 192.168.1.14 (Xeams) <-> 192.168.1.10 (mailserver)

With Xeams acting as a proxy it is just forwarding the early part of the SMTP conversation. It only does its filtering work once a full message has been received. So the external party's AUTH attempts are being fed straight through the proxy.

It would be a good feature of Proxy Mode if it could prevent any form of AUTH attempt during the SMTP conversation.

I found out that Xeams now offers the option to disable SMTP AUTH, which is great, thanks for that dear devs!

I now get tons of these in the logs :-)
-----
2016-08-17 23:14:15,861 WARN stagingserver.SmtpStagingWorker - SMTP Auth is disabled, yet a client tried sending AUTH request. This must be a bad boy.
-----

I'm also using the SMTP proxy in Sophos UTM (Home free edition) as an extra check and buffer between XEAMS (frontend) and the actual mailserver (backend)
-> no more brute force attacks show up in the mailservers logs since!

Also the Sophos UTM checks mails for viruses with 2 engines, the Sophos and the Avira engine, thus an extra layer of protection.
I could install ClamAV Daemon and use the Xeams-ClamAV integration to scan mails for viruses, but somehow the Sophos & Avira engines dont sound too bad either :-)

Any other suggestions for (more/better) secure set-ups involving Xeams and where to put it in the mail-scanning chain would be most welcome :-)

cheers
Paul.