Can anyone help me join the dots and figure this one out.
Our current setup look like this.
- Single Exchange 2010 Server
- MX record --> Spam Provider --> Exchange Server --> Default Receive Connector (with anonymous user check box)
- Exchange users are a mixture of outlook (active sync) and thunderbird (IMAP)
- Alot of our users are external to the business outside the firewall
- OWA, SMTP and IMAP are open on the firewall pointing to our exchange server
2 Receive connectors (that relate to this issue we have, other connectors are for mail relay for internal apps)
- Client connector port 587, TLS, Basic and windows authentication for exchange users.
- Default Connecter port 25, TLS, Basic and windows authentication for anonymous, exchange users, exchange servers.
Recently staff AD accounts are being locked out by bots attempting to use SMTP and the AUTH LOGIN commands to prob for passwords. (discovered by using wire-shark and decoding the base64 commands being sent)
So my trail of thought turned to disabling port 25 at the firewall level or exchange receive connector level to only accept mail from our spam provider's IP's however this will affect our IMAP users ability to be able to send email. We could open up port 587 to the outside and get those users to move from port 25 to 587 but isn't that just moving the problem along. If the Bots game is to keep pushing authentication requests with incorrect passwords this will still happen on port 587?
Its come to the point whereby accounts are being locked daily by different IP's. Whats the missing piece of the puzzle that will help me fight back.
Thank you in advance for any reply.
Matt