On 2023-11-17 02:18, Nick Lockheart wrote:
My original reason for asking was, in addition to setting up a new mail server,
there was a topic that came up about port scanning.
My thought was, if the only people that need email services on ports 587 and
993 are employees, there might be a way to close down access to those ports to
reasonable ranges that employees might actually use.
However, for most people, not really worth the time to re-invent the
wheel, but most people pay attention to spam tools and filters, but
don't consider tools for testing authentication sources..
As a commercial provider, don't mind passing on 'tips'.. but it is a
multi-tiered approach. One that is often easier dealt with by
commercial products, public RBL's etc, designed for authentication
restrictions, but the ONLY real way to deal with AUTH attacks, is 2FA of
some sort..
But other than that, their are two things you are trying to address.
Bot's & Hackers..
Bot traffic, will 'probably' not bother someone with good password
policies, unless of course you allow clients to send passwords plain
text, or a case of password re-use..
Still, you can address 'overhead' and the less you have in the logs, the
easier it is to see real threats. Country AUTH restrictions ARE simply,
and there ARE some countries that your clients will never travel to..
but this won't stop hackers that simply use VPN/Proxies/Compromised
Servers to access you accounts.
This applies to 465/587 as well as Dovecot AUTH mechanism's.
Rate Limiters of course are ALWAYS important.. However, you have to
realize that IP rate limiters CAN cause problems, when trying to deal
with CGN's, shared IPs, etc..
And of course, as someone else pointed out, your 'clients' usually use
carrier networks to access email, NOT cloud providers.
Hackers LOVE using the cloud, eg Amazon, gCloud, Azure for their
attacks, but your clients don't come from there.. so block those IP
spaces by default, but allow an override in case there is a real reason
to access email from there (desktop in a cloud?, data monitoring
scripts, SaaS which monitors your mailbox?)
And what about the other clouds.. Hackers are often getting VPS's
strictly for hacking purposes, or to put up open proxies to get around
country blocking.. (or hacking servers for that purpose)
Should any of your clients need to log in from an OVH or Digital Ocean
or ColoCrossing IP?
But as you can see, this starts to become a lot of work to consider all
the risk factors, and we all have too many things to do..
Consider looking at tools that do this for you, unless you want to make
a hobby out of looking at AUTH logs..
As well, there are several RBL's out there strictly monitoring hacking
sources, including one of own partners .. SpamRats RATS-AUTH and
RATS-NULL...
Many of these are free to use, and either update regularly, or are
available as realtime RBL's..
Our spam auditors.. it's amazing how often they see the same IPs used in
email compromises all over the world.. make sure that you clearly show
the IP address in your Received headers as well, will help others help
you..
Received: from [10.NNN.NNN.NNN] (unknown [37.NNN.NNN.NNN])
by youserver.com (Postfix) with ESMTPSA
But of course, again .. off topic.. but hackers OFTEN will eavesdrop on
your customers IMAP accounts just to steal data, way before they start
abusing it for sending spam..
IMAP authentication, and BEC (Business Email Compromise) in general are
some of our biggest threats, so all users of dovecot have a role to play
in securing access..
but again ... Transparent 2FA first and foremost ;)
Again, hoping more of our patches for Dovecot 2FA ClientID make the
light of day, and we are willing to work with anyone to help make that
happen for ANY platform..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
