Geoblocking of allowed SMTP/POP/IMAP.
I would like to see functionality to allow geoblocking of allowed SMTP/POP/IMAP.
Basically possibility to set which countries IPs that is allowed to connect with authenticated sessions for SMTP / POP / IMAP.
As my users is only living and working in Sweden they will only be
coming from IPs from Sweden.
This could remove 98% of all the botnet sessions that tries to bruteforce autheticated sessions.
MDaemon 17.5 has been updated and can now block connections based on the country they are coming from.
Aaron: You actually can NOT stop authentication attempts using the DNS-BL -- it doesn't apply during authentication. Email is checked against the country IP, but not authentication attempts. I have blocked most foreign countries at our firewall, but for just about every country I can't block (for http reasons), I get break-in attempts via SMTP. PLEASE consider adding, or consider allowing DNS-BL checks to occur during authentication attempts!
Although perhaps this is unnecessary if using IP Shield, but you'd want to disable "Do not apply to authenticated sessions", right?
Add geolocation to Dynamic Screening so people trying to log in as local users from IP's in foreign countries can be squelched! We've been having a fair number of attempts per day by bad actors attempting to log in as local users. Generally, each attempt is from a different IP/country. Since I don't have actual users (or only rarely) logging in from foreign locales, I'd like to be able to check off on a list to allow/disallow logins for local users by country.
Dan Lundqvist commented
Thanks for the info.
However, In my case I do not want to geoblock INCOMING mail with a certain IP (as such) but rather use geoblocking on sessions that want to authenticate so the session could be blocked even if the user/psw is correct but from from wrong country.
If I know that all my users is sending/receiving mail from a Swedish IP then if someone spoofs an account and manages to get the correct user/passw. it will still be blocked due to the geoblocking function. And could also be tied to the DynamicScreening as well.
It will not block IPs coming from allowed country(ies) but it could reduce the account hijacking dramatically.
Today botnet tries hammering only 2-3 times from each IP but with many different IPs in a row. If a session tries to do a SMTP (or POP) using authentication, MD could detect geoblocking already during first try and send it over to DynamicScreening directly so the IP gets blocked and not after the 3rd try. This reduces the amount of started SMTP/POP/IMAP Sessions.