Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

SmtpEvt daemon questions

Last post 04-17-2019, 18:22 by Brian Fluet. 3 replies.
Sort Posts: Previous Next
  •  04-16-2019, 15:31

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    SmtpEvt daemon questions

    I'm trying to figure out the best way to utilize the SmtpEvt daemon to help control the attacks on MercuryS.  Please help with the following questions.

    Volume is low so is I don't think I need trntrack.dll but is it necessary in order to benefit from IP address blocking, watchlist_count, and watchlist_minutes?

    What is the difference between watchlist and blacklist?

    Thanks!

  •  04-17-2019, 3:08

    • Rolf Lindby is not online. Last active: 2019-04-19, 14:58 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 26,065
    • BetaTeam Moderator SystemAdministrator

    Re: SmtpEvt daemon questions

    The SmtpEvt daemon will block connecting IP addresses that repeatedly fail to authenticate (or otherwise misbehaves) within a certain time span. The first failure puts the IP address on the watchlist, and depending on the settings in the ini file it will then be blocked (blacklisted) after some more failures.

    trntrack.dll is needed only to set the time IP addresses will remain blocked, otherwise Mercury's built-in blacklist is used (fixed block of 30 minutes).

  •  04-17-2019, 13:46

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    Re: SmtpEvt daemon questions

    Thanks Rolf.  I don't know that SmtpEvt is going to help much.  What I'm seeing is Auth Login failures from the same IP in groups of anywhere from 3-15, then they'll stop for anywhere from 3 to a few days then another group, rinse, repeat.  This is happening from a number of different IP addresses.  When I identify one I block its .0-.255 range using Content Control but its not long before a new IP address takes its place.   For now I'll set the watchlist_count trigger in SmtpEvt to 3 to limit the blocks of attempts.

    Edit:  Oops.  Meant Connection Control, not Content Control. 

  •  04-17-2019, 18:22

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    Re: SmtpEvt daemon questions

    A side affect of trying to understand the SmtpEvt daemon is that I now have a better understanding of the options in the MercuryS Compliance tab and of the potential value of transaction filtering as way to immediately blacklist an IP address that has been identified as repeated trying to gain access.  My "refuse" entries in Connection Control have been removed opting for transaction filtering rules instead. 

    I've standardized the rules as per below with only the IP address changing but welcome suggestions on a better or more appropriate way of doing this. 

    H, "*192.156.225.99*", BS, "554 Relaying not allowed - connection dropped" 

    I'm anxious to see the effects of this change in conjunction with SmtpEvt.

View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page