Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
On 9/1/2013 2:59 PM, Noel wrote: On 9/1/2013 10:00 AM, Charles Marcus wrote: ... Wonder if there's a way to leverage Stan Hoeppner's most excellent botnet killer to reject AUTHs from the same types of clients before they even try? The objective of Stan's list is to reject dynamic hosts, because the overwhelming majority of dynamic hosts trying to send via SMTP are zombies. Yep. For dovecot, the situation is quite different. Blocking all dynamic IPs would be an obvious mistake. Yep. Unfortunately the hosts we want to block at the public SMTP port are the same hosts that are your typical legitimate IMAP clients. To do something similar to Postscreen with Dovecot would require Timo writing code similar to Postscreen that would look for IMAP protocol violations or similar signs that the client is a bot and not a legit MUA. But given that Dovecot is designed for inherently greater client parallelism (thousands) than Postfix smtpd (100), I don't think anyone is rejecting clients due to running out of auth process slots taken by bots. As others have suggested this seems a log clutter issue, nothing more. -- Stan
Re: [Dovecot] Getting back into Dovecot 2.2.5
On 02-09-2013 07:04, Kai Hendry wrote: On Mon, Sep 02, 2013 at 02:37:04AM +0300, Andreas Kasenides wrote: IIUC Postfix places by default mail in /var/mail/%u as an mbox. sg:/etc/postfix$ sudo postconf | grep mail_spool mail_spool_directory = /var/mail I think the solution from looking around is to use dovecot as an lda. http://wiki2.dovecot.org/LDA/Postfix Yes! Sorry for not saying that. While the Dovecot LDA is preferred (it will also do on-line indexing), it is not the only option. Postfix will also deliver into a maildir (both the local and virtual delivery agents) if you just add a / at the end of the delivery directory! I prefer the Dovecot LDA of course with necessary Postfix configs for it. By the way I consider mbox format to be a relic of the mail systems. But it may be what you are looking for a really small setup to get away from Gmail. Straight forward and simple. Andreas Solr is not the only option. The way I understand this is that this will heavily depend on your client, if it will make use of the Dovecot indexing, thefore speeding up operations. I use Thunderbird most of the time and I have no indexing on Dovecot. Searching is quite good. I use mutt Apple Mail IOS. http://www.flickr.com/photos/hendry/9652360692/ Thanks for replying! I will update https://github.com/webconverger/sg.webconverger.com with my setup in future.
[Dovecot] migration from IMAP/POP3 courier server to a remote dovecot server
Dear all i'm planning a transparent migration from a courier server that provides both IMAP and POP3 access to users to a remote dovecot server with both IMAP and POP3 access. I have to migrate about 2500 users for 250 GB of space. I'm using dovecot 2.2.5.4 on debian6 squeeze. To make a transparent migration i have to maintain old IMAP UIDs and POP3 UIDs, so i've read http://wiki2.dovecot.org/Migration and http://wiki2.dovecot.org/Migration/Courier and http://wiki2.dovecot.org/Migration/Dsync And decided that probably the best tool to use is Dsync, as the courier-dovecot-migrate.plhttp://www.dovecot.org/tools/courier-dovecot-migrate.pl script works only locally. I've tested the dsync following instructions reported above but after the migration of one test-account the client re-download messages. If i want to keep both IMAP UIDs and POP3 UIDs i have to sync both imapc and pop3c with two commands? doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain imapc: doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain pop3c: Or imapc is enough? Do you have any suggestion? Thanks -- /*/ nik600 http://www.kumbe.it
Re: [Dovecot] migration from IMAP/POP3 courier server to a remote dovecot server
to give some more information, i've set pop3_uidl_format = UID%u-%v on the courier-side i get this UIDL answer: UIDL +OK 1 1378040847.Vfe11I12801312M172099.myserver.cloud923 2 UID2-1378040947 3 UID3-1378040947 4 UID4-1378040947 5 UID5-1378040947 on the dovecot-side i get this UIDL answer: UIDL +OK 1 UID1-1378127599 2 UID2-1378127599 3 UID3-1378127599 4 UID4-1378127599 5 UID5-1378127599 2013/9/2 nik600 nik...@gmail.com Dear all i'm planning a transparent migration from a courier server that provides both IMAP and POP3 access to users to a remote dovecot server with both IMAP and POP3 access. I have to migrate about 2500 users for 250 GB of space. I'm using dovecot 2.2.5.4 on debian6 squeeze. To make a transparent migration i have to maintain old IMAP UIDs and POP3 UIDs, so i've read http://wiki2.dovecot.org/Migration and http://wiki2.dovecot.org/Migration/Courier and http://wiki2.dovecot.org/Migration/Dsync And decided that probably the best tool to use is Dsync, as the courier-dovecot-migrate.plhttp://www.dovecot.org/tools/courier-dovecot-migrate.pl script works only locally. I've tested the dsync following instructions reported above but after the migration of one test-account the client re-download messages. If i want to keep both IMAP UIDs and POP3 UIDs i have to sync both imapc and pop3c with two commands? doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain imapc: doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain pop3c: Or imapc is enough? Do you have any suggestion? Thanks -- /*/ nik600 http://www.kumbe.it -- /*/ nik600 http://www.kumbe.it
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
On 2013-09-01 3:59 PM, Noel noeld...@gmail.com wrote: The objective of Stan's list is to reject dynamic hosts, because the overwhelming majority of dynamic hosts trying to send via SMTP are zombies. For dovecot, the situation is quite different. Blocking all dynamic IPs would be an obvious mistake. Oops... you're right of course, sorry for the noise... -- Best regards, */Charles/*
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
On 2013-09-02 4:12 AM, Stan Hoeppner s...@hardwarefreak.com wrote: As others have suggested this seems a log clutter issue, nothing more. Well, it would be nice to have some way to stop brute force attacks (rather than just letting one run rampant until the attacker gives up) - ie, attempted FAILED logins to the same user account. Maybe a two pronged approach... 1. A whitelist that whitelists IP+username for *successful* logins (maybe with a configurable age-out option) to prevent the real user from being locked out if accessing from an IP on the whitelist, and 2. A blacklist that when triggered (x failed login attempts in x seconds), doesn't try to block the IP, but rather prevents login attempts for that user account from even reaching the AUTH stage - *unless* the IP in question is in the whitelist. The question is, where is this best dealt with - firewall (can fail2ban do anything like this?), or would it have to be done in dovecot? -- Best regards, */Charles/*
Re: [Dovecot] Auth error in log
Hi, When a virtual user defined in the MySQL database tries to log in using IMAP or SMTP I always get auth failures logged in the system logs. Entries are like this: Aug 21 06:25:36 roadrunner dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lu...@mydomain.com rhost=85.224.xx.xx I assume these failures comes form the fact that PAM doesn't recognize the virtual users and Dovecot continues to the SQL passdb entry. As a result I get a _lot_ of auth failures in the logs. I have tried to come up with a way where the auth failures from PAM arent't logged if the the SQL authenication is successful. Is this possible or are there any other recommended ways to handle this? How do other users solve this issue? The simple way is to just ignore all the logged auth failures but that seems too easy. /PH -- Per-Henrik Lundblom email: p...@whatever.nu cell: +46 733-20 71 26 webpage: www.whatever.nu
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
On 2013-09-02 9:35 AM, Charles Marcus cmar...@media-brokers.com wrote: Well, it would be nice to have some way to stop brute force attacks (rather than just letting one run rampant until the attacker gives up) And I left out the obvious ... or worst case, is successful ... - which obviously is why we are having this conversation in the first place... Maybe a two pronged approach... 1. A whitelist that whitelists IP+username for *successful* logins (maybe with a configurable age-out option) Of course there should be a default age-out option (24 hours? 48 hours? longer? shorter?), but should it be configurable? 2. A blacklist that when triggered (x failed login attempts in x seconds) Configurable? Maybe to make it simplest, some sane defaults could be decided on, and hard code them, with a single config option to enable or disable botnet brute-force protection? -- Best regards, */Charles/*
Re: [Dovecot] Getting back into Dovecot 2.2.5
On 2013-09-01 7:37 PM, Andreas Kasenides andr...@cymail.eu wrote: On 31-08-2013 13:07, Kai Hendry wrote: However I found /usr/share/doc/dovecot/example-config/conf.d/ a little scary, since I like to have my configs as minimalistic as possible, e.g. I suggest you forget all the options and concentrate on the ones you intend to use. Dovecot has defaults for most options that make sense. Precisely. *Never* change a default (goes for any/all software) unless you know exactly why you are doing so. One technique you can use is to create your own config file in conf.d/ for your modifications, name it something like 99-myConfig.conf (as long as config files in conf.f/ are included which they are by default) which causes it to be loaded last, and add your changes there. This way, it doesn't matter what is in any of the other config files, any changes you make will override them, and if you don't override something, you know you'll be using the default. This makes keeping up with your mods during upgrades much easier too. -- Best regards, */Charles/*
Re: [Dovecot] migration from IMAP/POP3 courier server to a remote dovecot server
Ok, it seems i found the problem, i was missing the plugin declaration into dovecot.conf imapc_host = mail.foo.com imapc_features = rfc822.size pop3c_host = mail.foo.com namespace { separator = / inbox = yes } protocol doveadm { mail_plugins = $mail_plugins pop3_migration } disable_plaintext_auth = no pop3_uidl_format = UID%u-%v And then using command: *doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user at domain http://dovecot.org/cgi-bin/mailman/listinfo/dovecot pop3c:* The only doubt i have is how to sync both imap and pop3, i've seen that if i made a pop3c sync ath then impac sync gives an error, and if execute imapc and then pop3c it gives an error too. 2013/9/2 nik600 nik...@gmail.com to give some more information, i've set pop3_uidl_format = UID%u-%v on the courier-side i get this UIDL answer: UIDL +OK 1 1378040847.Vfe11I12801312M172099.myserver.cloud923 2 UID2-1378040947 3 UID3-1378040947 4 UID4-1378040947 5 UID5-1378040947 on the dovecot-side i get this UIDL answer: UIDL +OK 1 UID1-1378127599 2 UID2-1378127599 3 UID3-1378127599 4 UID4-1378127599 5 UID5-1378127599 2013/9/2 nik600 nik...@gmail.com Dear all i'm planning a transparent migration from a courier server that provides both IMAP and POP3 access to users to a remote dovecot server with both IMAP and POP3 access. I have to migrate about 2500 users for 250 GB of space. I'm using dovecot 2.2.5.4 on debian6 squeeze. To make a transparent migration i have to maintain old IMAP UIDs and POP3 UIDs, so i've read http://wiki2.dovecot.org/Migration and http://wiki2.dovecot.org/Migration/Courier and http://wiki2.dovecot.org/Migration/Dsync And decided that probably the best tool to use is Dsync, as the courier-dovecot-migrate.plhttp://www.dovecot.org/tools/courier-dovecot-migrate.pl script works only locally. I've tested the dsync following instructions reported above but after the migration of one test-account the client re-download messages. If i want to keep both IMAP UIDs and POP3 UIDs i have to sync both imapc and pop3c with two commands? doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain imapc: doveadm -o imapc_user=foo -o pop3c_user=foo -o imapc_password=bar -o pop3c_password=bar backup -R -u user@domain pop3c: Or imapc is enough? Do you have any suggestion? Thanks -- /*/ nik600 http://www.kumbe.it -- /*/ nik600 http://www.kumbe.it -- /*/ nik600 http://www.kumbe.it
Re: [Dovecot] local AND virtual mail locations ?
Well, first of all, why are you using mbox? truncated output from my doeveconf -n # for Local users mail_location = maildir:~/Maildir For SQL users userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u driver = sql } Notice that using default_fields I am able to respecify the mail_location for the sql users. You should be able to do something similar, right? Of course, you are using dovecot 1.x, so maybe it's more difficult? Still, mbox is bad. No one should use mbox. Ok I've switched to Dovecot version 2 which indeed allows to use a per userdb mail location (mail= instead of mail_location). As for maildir versus mbox I was able to turn to maildir for the local users which messages are delivered by procmail. For the virtual users, unfortunately for now, my smtp daemon, postoffice smtpd, is only mbox capable with no alternate LDA possibility. # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 8.3-RELEASE amd64 disable_plaintext_auth = no first_valid_gid = 6 first_valid_uid = 6 mail_privileged_group = mail passdb { args = * driver = pam } passdb { args = username_format=%n /etc/virtual/%d/passwd driver = passwd-file } protocols = imap service auth { user = root } ssl = no userdb { args = blocking=yes driver = passwd override_fields = mail=maildir:~/Maildir/ } userdb { args = uid=mail gid=mail driver = static override_fields = mail=mbox:/var/spool/virtual/%d/%n.imap/:INBOX=/var/spool/virtual/%d/%n } protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } Thanks to all!
Re: [Dovecot] Auth error in log
On 02 Sep 2013, at 07:40 , Per-Henrik Lundblom p...@whatever.nu wrote: When a virtual user defined in the MySQL database tries to log in using IMAP or SMTP I always get auth failures logged in the system logs. Entries are like this: Aug 21 06:25:36 roadrunner dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lu...@mydomain.com rhost=85.224.xx.xx I assume these failures comes form the fact that PAM doesn't recognize the virtual users and Dovecot continues to the SQL passdb entry. As a result I get a _lot_ of auth failures in the logs. I have tried to come up with a way where the auth failures from PAM arent't logged if the the SQL authenication is successful. Is this possible or are there any other recommended ways to handle this? How do other users solve this issue? The simple way is to just ignore all the logged auth failures but that seems too easy. There's nothing to solve. If you have multiple authentication methods then any but the right one will fail, obviously. That said, I don't see these at all (I have pam and sql set). Are you logging to a dovecot log file or to syslog? This is what I see in maillog: Sep 2 15:00:51 mail dovecot: imap-login: Login: user=*user*@*domain.tld*, 12.34.56.789, PLAIN, TLS Sep 2 10:10:54 mail dovecot: imap-login: Login: user=kremels, 12.34.56.798, PLAIN, TLS -- In other news, Gandalf died. -- Secret Diary of Boromir
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
On 9/2/2013 8:35 AM, Charles Marcus wrote: 2. A blacklist that when triggered (x failed login attempts in x seconds), doesn't try to block the IP, but rather prevents login attempts for that user account from even reaching the AUTH stage - *unless* the IP in question is in the whitelist. The question is, where is this best dealt with - firewall (can fail2ban do anything like this?), or would it have to be done in dovecot? I'm already using fail2ban to block IPs that have too many AUTH failures. Fail2ban is pretty flexible -- it watches the log and counts strings you specify, then runs a command or script you specify. If the username is logged, I suppose it's possible to run something to temporarily disable that user. It would be a lot easier to deploy if some sort of blocker were built into dovecot -- after X number of failures during Y seconds, fail all future attempts for the account for T seconds. Maybe reset the timer on each attempt during the blackout period so the timer never expires on the persistent distributed brute force attacks. I suppose there would also need to be a way to whitelist IPs so the account owner can get in. -- Noel Jones
[Dovecot] stopping dictionary attacks (pop3)
Hi Guys, I was really hoping a couple of years later this would be addressed... I'm running Dovecot 2.2.5 on FreeBSD. Is there anyway to limit the number of auth attempts allowed in a single session? The reason for this is because I have fail2ban setup to firewall out any IP addresses that repeatedly auth fails. The issue occurs when the connection is already in an established state and the attacker uses the existing session to hammer away, fail2ban becomes ineffective as dovecot appears to allow the person to attempt authentication ad infinitum. It would be nice if there was config option that would for example cause the software to close the connection after X failed attempts. I use pf as the firewall on FreeBSD. Unless there was some command I could have fail2ban run a command that would destroy any tcp sessions in an established state prior to adding the offending IP to the block list, that would be the only way around the problem. Ideally it would be nice for dovecot have an option to control the number of failed auth attempts. Any suggestions? Cheers, Alex.
[Dovecot] setup of dovecot as proxy to dbmail
Can anyone point me in the direction of a detailed how-to for setting up a postfix and dovecot (proxy) node with dbmail? In particular I'm looking for a how-to which shows dovecot authenticating against the dbmail database directly. The only example I've found is this one which requires a duplication of the user database. http://content.fens.org/index.php?q=admin-howto/mail/dovecot2dbmail-proxy Thanks.
Re: [Dovecot] setup of dovecot as proxy to dbmail
Am 03.09.2013 04:22, schrieb Regan Yelcich: Can anyone point me in the direction of a detailed how-to for setting up a postfix and dovecot (proxy) node with dbmail? In particular I'm looking for a how-to which shows dovecot authenticating against the dbmail database directly. The only example I've found is this one which requires a duplication of the user database. http://content.fens.org/index.php?q=admin-howto/mail/dovecot2dbmail-proxy no idea why someone would duplicate existing data ___ [root@testserver:~]$ cat /etc/dovecot/sql.conf driver = mysql connect = host=/var/lib/mysql/mysqld.sock dbname=dbmail user=dbmail password=*** password_query = SELECT passwd as password, '127.0.0.1' as host, userid as destuser, passwd AS pass, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM dbmail_users WHERE userid='%u' default_pass_scheme = plain ___ [root@testserver:~]$ cat /etc/dovecot/dovecot.conf # provided services protocols = imap pop3 # configure ssl ssl= yes ssl_cert = /etc/postfix/certs/localhost.pem ssl_key= /etc/postfix/certs/localhost.pem ssl_cipher_list= EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2 # configure imap-proxy service imap-login { inet_listener imap { address= public-ip port = 143 } inet_listener imaps { address= public-ip port = 993 } vsz_limit= 256M service_count= 0 process_min_avail= 1 process_limit= 1 client_limit = 200 } # configure pop3-proxy service pop3-login { inet_listener pop3 { address= public-ip port = 110 } inet_listener pop3s { address= public-ip port = 995 } vsz_limit= 256M service_count= 0 process_min_avail= 1 process_limit= 1 client_limit = 200 } # default settings imap_capability= IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT IDLE login_greeting = login_log_format_elements = %u %r %m %c login_log_format = %$: %s mail_max_userip_connections= 100 auth_mechanisms= CRAM-MD5 DIGEST-MD5 APOP LOGIN PLAIN disable_plaintext_auth = no shutdown_clients = no version_ignore = yes # Logging syslog_facility= mail # authentication process auth_worker_max_count = 50 auth_cache_size= 1024 auth_cache_ttl = 600 auth_cache_negative_ttl= 600 auth_username_chars= abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz # debug options auth_debug = no auth_debug_passwords = no auth_verbose = no mail_debug = no verbose_ssl= no # configure proxy-database passdb { driver= sql args = /etc/dovecot/sql.conf } # we are not using local users userdb { driver= static args = static uid=1 gid=1 home=/dev/null } # configure backend for postfix sasl-auth service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group= postfix } } signature.asc Description: OpenPGP digital signature
Re: [Dovecot] stopping dictionary attacks (pop3)
On 9/2/2013 8:59 PM, ot...@ahhyes.net wrote: Hi Guys, I was really hoping a couple of years later this would be addressed... I'm running Dovecot 2.2.5 on FreeBSD. Is there anyway to limit the number of auth attempts allowed in a single session? The reason for this is because I have fail2ban setup to firewall out any IP addresses that repeatedly auth fails. The issue occurs when the connection is already in an established state and the attacker uses the existing session to hammer away, fail2ban becomes ineffective as dovecot appears to allow the person to attempt authentication ad infinitum. It would be nice if there was config option that would for example cause the software to close the connection after X failed attempts. I use pf as the firewall on FreeBSD. The secret is the pfctl -k IP command to drop state for the offending IP. Just add it to your fail2ban action command. action = /sbin/pfctl {whatever you have now} /sbin/pfctl -k ip A nice writeup of fail2ban and pf can be found here: http://www.effu.se/2011/03/Integrating-PF-with-Fail2ban-0.9 -- Noel Jones