For webmail, implement TOTP. If you allow client access (Submission, IMAP etc) from outside, then: Either restrict to internal network only, or require VPN.
== OR ==
Best would be to use GeoIP to, on first login, lock the account to the GeoIP
country the current IP has.
That would severely limit any intrusions, since the attack surface is now
limited to the same country as the user.
Another way would be to use the webmail login as a "whitelisting" system, so
when they login to the webmail (with TOTP), their Class C (or even class B if
you don't want to lock out too hard) is whitelisted for 7 days. Multiple
entires can be whitelisted. Thus if their client-mail stops working, they have
to login to webmail ONCE to "reactivate".
This also would limit the attack surface greatly, to a single ISP or a few ISPs.
You should be able to create something using MySQL lookups and possible $acl_c0
and such to relay the connected IP to the authenticator, and then do a IP check
against the MySQL database.
-----Ursprungligt meddelande-----
Från: Mark Elkins via Exim-users <exim-users@exim.org>
Skickat: den 29 juni 2020 14:56
Till: exim-users@exim.org
Ämne: [exim] Looking for an example
Hello group,
I'm looking for an example for how to cure this problem.
Every now and then, a user will give his password to a bad actor (Social
Engineering). That bad person then goes to my webmail interface and sends out a
lot of SPAM e-mail - which goes to my port 587 (only) Exim (version 4.94)..
The mail server then gets black-listed :-(
Of course - then everyone suffers.
All my users details are in a MySQL Database. Ideally - I could change their
status to "disabled" - but still need to handle the SPAM being sent out from
their account details. Perhaps I'd lookup the "X-Originating-IP" and if there -
not do a delivery?
What are the "Best Practises" with handling this?
An example of a "bad" email (the H file) might look like... (as untouched as
possible)
1jX2Tv-00A32n-Ka-H
mail 8 12
<motha...@competentartistes.tv>
1588942319 2
-received_time_usec .638108
-helo_name webmail.vweb.co.za
-host_address 2001:42a0::5.36176
-interface_address 2001:42a0::71.587
-received_protocol esmtps
-body_linecount 48
-max_received_linelength 74
-frozen 1589015756
-tls_cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
-tls_sni relay.vweb.co.za
-tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGaTCCBVGgAwIBAgISAw6 [Lots
deleted] 4isptageh9BnUwAwJw==\n-----END CERTIFICATE-----\n YY
wr...@disillusionment.co.uk YY wrongd...@remnants.us YY
wristwa...@parishioners.net [20+ lines deleted] NN ya...@boniest.com.au NN
y...@reimbursing.info
50
wrin...@amounts.info
wrinkl...@shelf.co.uk
[20+ lines deleted]
swar...@extremer.com
swat...@companion.com
255P Received: from [2001:42a0::5] (port=36176 helo=webmail.vweb.co.za)
by relay.vweb.co.za with esmtps
(TLSv1.3:TLS_AES_256_GCM_SHA384:256)
(Exim 4.92.2)
(envelope-from <motha...@competentartistes.tv>)
id 1jX2Tv-00A32n-Ka; Fri, 08 May 2020 14:51:59 +0200
018 Mime-Version: 1.0
038 Date: Fri, 08 May 2020 12:52:10 +0000
087 Content-Type: multipart/alternative;
boundary="--=_RainLoop_183_170848428.1588942330"
026 X-Mailer: RainLoop/1.11.3
057F From: "Mrs. Agnes Adams" <motha...@competentartistes.tv> 068I Message-ID:
<f48e1f3d5cf34a6e7f03fe0d1b648...@competentartistes.tv>
030R Reply-To: jm4065...@gmail.com
012 Subject: HI
034 X-Originating-IP: 197.220.169.156
--
Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel:
+27.826010496 <tel:+27826010496> For fast, reliable, low cost Internet in ZA:
https://ftth.posix.co.za
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
