Preventing SMTP dictionary attacks against Domino, and brute force / dictionary attacks against IMAP,POP3,LDAP,and HTTP.
This document applies only to the following language version(s):
You are trying to prevent external attempts to compromise user credentials through a dictionary attack against SMTP, or IMAP, LDAP, HTTP.
A symptom, your SMTP server is sending out a lot of spam messages.
User credentials may have been compromised through a dictionary attack against SMTP, IMAP, LDAP, HTTP.
Any Domino server running SMTP(or other Domino internet protocol mentioned above), and exposed to the Internet.
Diagnosing the problem
AUTH is a feature of SMTP which is enabled and located in the Server document under Ports > Internet Ports > Mail > (SMTP Inbound) port 25.
Name & password, when set to yes, allows users from outside your server located anywhere on the Internet to use their Internet credentials to send SMTP mail through your server.
The next field for Anonymous needs to be set to Yes so that you anonymously receive mail from the Internet. Setting this to No would stop all inbound Internet SMTP mail.
How to determine if a user's credentials have been compromised:
1. Enable SMTPDebugIO=3 and set log_sessions=2 in the notes.ini file.
2. Restart the SMTP task on the Domino server. From the log output you will see where the login is occurring (IP address) and the user's name being used to relay.
3. Change the Internet password for this user to a strong password.
Keep in mind that it is possible multiple user credentials have been compromised.
Resolving the problem
You can use the following feature to lockout failed attempts to gain access to your server. This feature works for SMTP, IMAP, LDAP,and HTTP. If SMTP AUTH is being used by hand-held devices for mail, consider using Traveler which is a free add-on to Domino providing a much better end user experience over IMAP and SMTP. If being used by 3rd party clients, consider using iNotes, or IBM Notes over port 1352 from the Internet.
If you are mandated to use AUTH, there is additional functionality in Domino which will help prevent dictionary attacks in attempt to compromise a user's name and credentials. This feature will greatly reduce user credentials from being compromised moving forward.
In addition to these settings in the Configuration document for your Domino SMTP gateway, you will also need the Internet password lockout DB "inetlockout.nsf". This database will log SMTP auth login failures and will also lock out users when their login failures reach maximum tries allowed.
Once a user is locked out in the Internet lockout database, delete the entry to allow the user to again login.
More support for:
Software version: 8.0, 8.5, 9.0
Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS
Software edition: All Editions
Reference #: 1677487
Modified date: 30 April 2015