Re: under some kind of attack
On 21/07/2017 04:03, mj wrote: Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. This can be very tricky at times and you may actually hit quite a few legit users who are using weak passwords and have forgotten / mistyped them by accident. Seen this enough times and the amount of support required to make a sloppy & lazy customer happy again isn't always trivial. If they're few and far apart you can live with it, otherwise you'll have to reevaluate it :) Adi Pircalabu
Re: application specific passwords
* mj [2017-07-20 21:46]: > Hi Kirill, > > Thanks for your reply. Such a simple flat file approach would be perfect, > and I don't mind at all to require app specific usernames *and* passwords. In my case it's flat file, but this is easily doable with SQL as well, using a separate table for login/password and a key to a table with appropriate user data. > However, I am unsure how to combine your recipe below with our regular AD > userdb/passdb. Unfortunately, I'm not familiar with AD > Perhaps someone can give me some pointers in that direction? > > MJ > > On 07/20/2017 06:50 PM, Kirill Miazine wrote: > > I'm not familiar with samba AD and with it's features and limitation. > > For my simple system I'm using plain files for passdb and userdb (aka. > > passwd-file). Application (or rather device) specific passwords are > > implementing by using having an additional "username" with a specific > > password for a particular application or device. E.g. some entries for > > myself: > > > > bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > > > The files are generated automatically from a Single Source of Truth. > > > > In my case I'm selecting the username myself, but there's nothing > > preventing you from generating a username/password combination for your > > users. > > > > Note that in my setup users will have application specific username and > > password, not only application specific password. It was easier to > > implement it quickly this way. > > > > Greetz > > Kirill > > -- -- Kirill Miazine
Re: under some kind of attack
Not applicable to most installations, but I use geographical filtering on all ports other than 25. Fine if you are the only user of the email system. I don't block countries where I will send and retrieve email. I augment this with a small blocking list of IP space where I'm OK if they read my websites, but won't be sending/receiving email from their physical location. In short, schools and universities. So for example I would have trouble sending mail from the University of Michigan or anywhere in Kahzakstan. I get one hacker a week trying to guess passwords, and always from Digital Ocean VPS. I just block them as the occur. I have list of data centers that have tried to hack my web server, which I also block from the email server other than port 25. I would like to see statistics on the success of such brute force attacks. They can't be very successful these days.
Re: under some kind of attack
I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. With all the constraints and processing, I'll offer yet another option: use the checkpassword password authentication scheme. This will bypass post-authentcation log-sniffing and allow you direct access to username, password and client IP (the last I'm not positive about) at authentication time. Now you'll have everything you need to do any wild and crazy auth processing, including database searches and triggering firewall blocking based on whatever crietria you want (including common password use). As to how to integrate it into your dovecot, I'm not sure whether it's best to supplant the LDAP method and authenticate within the checkpassword script, or to put it as the first authentication method (ahead of LDAP) to get first crack at inspect at authentication data, or the fallback authentication method (after LDAP) to pick up all the failures. However, after running honeypots, I can tell you that although BFD attackers will common use passwords, any static list of abused passwords will miss a lot. (A common one they use is $password=variations($user) or variation($domain)). Number of auth failure limits should also be a criteria for banning. Extinct users are also good candidates for instant banning. Joseph Tam
Re: application specific passwords
Hi Kirill, Thanks for your reply. Such a simple flat file approach would be perfect, and I don't mind at all to require app specific usernames *and* passwords. However, I am unsure how to combine your recipe below with our regular AD userdb/passdb. Perhaps someone can give me some pointers in that direction? MJ On 07/20/2017 06:50 PM, Kirill Miazine wrote: I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill
Re: application specific passwords
Hi, Let me ask a more specific question. What I would like to configure, is: - for our internal users to use their regular AD usernam/passwords, just as everybody can currently do. but, new: - for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well) Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already. Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot. Here are our sanitised configs: root@mails:/etc/dovecot# doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs auth_debug = yes auth_failure_delay = 2 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca = and our dovecot-ldap.conf.ext: hosts = ldap1 ldap2 ldap3 dn = cn=search,cn= dnpass = secretashell tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=. scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24 user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person) MJ
Re: under some kind of attack
On 07/20/2017 08:47 PM, Robert Schetterer wrote: Ok I understand, not a bad idea, report how it works for you That "report how it works for you" was exactly why I posted the fail2ban failregex back to the list. :-) So others can use it too. It works fantastic, and I ombined it now with blocking complete countries at the firewall-level. Users have their regular three login tries, and get a password dialogue if they changed their password. (which many did, in the light of this attack) And the last botnet attempts remaining, using "password" etc are blocked instantly. Works nicely. :-) Now I want to implement application specific passwords, I will post about that in a seperate message. As you have been such a great help, perhaps you can also help a little bit in that thread...? Thanks again, MJ
Re: under some kind of attack
Am 20.07.2017 um 20:03 schrieb mj: > Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >> http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Yes, but I have that as well. :-) > > I wanted two kinds of blockings: > > #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, > etc, etc) to become blocked *immediately* and for *always*. > > #2: I wanted all others have to have the 'regular' settings, with three > shots at typing a password, etc. > > #2 being the 'regular fail2ban' settings, but during this attack, I > wanted special settings, #1, for anyone trying one of the malicious > passwords. > > I did NOT want to have them the usual three opportunities to try. > > In fact: this is a bit similar to your iptables solution, but that only > works for non-ssl/non-tls connections. > > Your iptables solution makes sure that thy cannot authenticate *at all*, > while the above solution makes sure they can only authnticate *once*. > > MJ Ok I understand, not a bad idea, report how it works for you Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: vacation problem with SRS
I have this version with FIXME /* FIXME: If From header of message has same address, we should use that * instead to properly include the phrase part. */ rfc2822_header_printf(msg, "To", "<%s>", reply_to); This should be work ok? Or You must change something? 2017-07-20 15:51 GMT+02:00 Stephan Bosch : > > > Op 20-7-2017 om 10:37 schreef Kacper Guzik: > > Hi i have similiar problem like here: >> >> http://www.iredmail.org/forum/topic11833-iredmail-support-vo >> cation-respone-unknown-user.html >> >> >> email send : >> from : web...@gmail.com >> to : ja...@mail.com >> >> vocation sent back >> from : ja...@mail.com >> to : srs0=hmc8=v7=gmail.com=web...@mail.com >> >> >> >> postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= >> gmail.com=web...@mail.com >> >> this is no problem for me but sieve: >> >> Vacation's messages are always addressed to the Return-Path address >> >> it is possible some how change this ugly to header to normal? >> >> I can't find anything on dovecot mailing lists >> > > Hmm, > > I think this relates to this FIXME: > > https://github.com/dovecot/pigeonhole/blob/master/src/lib- > sieve/plugins/vacation/cmd-vacation.c#L951 > > Looks like I've been just lazy. Should be relatively easy to fix. > > Regards, > > Stephan. >
Re: under some kind of attack
Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. #2: I wanted all others have to have the 'regular' settings, with three shots at typing a password, etc. #2 being the 'regular fail2ban' settings, but during this attack, I wanted special settings, #1, for anyone trying one of the malicious passwords. I did NOT want to have them the usual three opportunities to try. In fact: this is a bit similar to your iptables solution, but that only works for non-ssl/non-tls connections. Your iptables solution makes sure that thy cannot authenticate *at all*, while the above solution makes sure they can only authnticate *once*. MJ
Re: application specific passwords
Hi, mj * mj [2017-07-20 13:29]: > Hi, > > Further to the other thread about password guessing activities against our > dovecot, I would like to implement application specific passwords on our > dovecot. [...] > > Is there anone here with some additional notes, ideas, tips, trics on > setting up application specific passwords with dovecot with virtual users? > We are using samba AD as an authentication backend. I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill -- -- Kirill Miazine
Re: under some kind of attack
Am 20.07.2017 um 12:28 schrieb mj: > I have concoted something that seems to work. And for the archives, this > is it: > >> failregex = auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: .+ssword\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1qaz2wsx\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 123321\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1234567890\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1q2w3e4r.+\) > > It's still reactive, and not pro-active. > > All the other suggestions are very much appreciated, including > weakforced, however implementing that is a much larger project. i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Next I have to find out how to feed my fail2ban logs back to > blocklist.de, to improve their mail.txt hit rate. > > Thanks again for all kind assistance. > > MJ > > On 07/20/2017 11:16 AM, mj wrote: >> Hi all, >> >> If I may, one more question on this subject: >> >> I would like to create a fail2ban filer, that scans for these lines: >> >>> Jul 20 11:10:09 auth: Info: >>> ldap(user1,60.166.35.162,): invalid credentials >>> (given password: password) >>> Jul 20 11:10:19 auth: Info: >>> ldap(user2,61.53.66.4,): invalid credentials (given >>> password: password) >> >> (as you can see, I have enabled auth_verbose_passwords to do this, >> making me very uncomfortable...) >> >> Anyway: since there are only a few password variations, I would like >> to block anyone using those passwords. >> >> (since the connections are over TLS/SSL, I cannot use iptables, as >> suggested earlier) >> >> So I need a specific fail2ban rule that extracts the from that >> line, and matches on "(given password: password)" >> >> Can anyone here help out with a failregex line that would match..? Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: vacation problem with SRS
Op 20-7-2017 om 10:37 schreef Kacper Guzik: Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? I can't find anything on dovecot mailing lists Hmm, I think this relates to this FIXME: https://github.com/dovecot/pigeonhole/blob/master/src/lib-sieve/plugins/vacation/cmd-vacation.c#L951 Looks like I've been just lazy. Should be relatively easy to fix. Regards, Stephan.
Re: application specific passwords
Quoting mj : Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot http://www.justinbuchanan.com/blog/category/RoundCube http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix Those articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ I'm working on PrivacyIdea (PI) integration for 2FA. The reason I mention this for app passwords is because PI allows multiple 'tokens' that aren't just for 2FA. This would allow you give your users a web portal to create 'password' (SPASS) tokens - using their AD pass to auth to the portal. Then using PAM Radius, Dovecot can auth against the multiple password tokens. Personally - I'm not too thrilled about having users have multiple passwords for IMAP - BUT if you're trying to protect the AD password, this would be a method of isolating AD away. You can set PI to fall back to the AD password if the user doesn't have a token, so integration is pretty seamless. You can also do some fancy policy-based token matching to require 2FA for say - webmail - and allow SPASS for POP/IMAP. This is what I'm aiming for, but I've had issues with the webmail client portion (user using 2FA, and IMAP being hardcoded) and haven't gotten back to it to truely guide anyone else through it. Rick
Re: 2.2.devel (0bee280) crashdump virtual plugin
* Aki Tuomi 2017.07.20 05:40: > Should be fixed with > > commit 81e832796cdc6af790ed7be8a6c150889f03171c > Author: Timo Sirainen > Date: Wed Jul 19 23:19:12 2017 +0300 > > virtual: Optimize mailbox_notify_changes() when there's only a single > backend mailbox > > commit 2044eb7652b864a05842933e9097c583cb11256c > Author: Timo Sirainen > Date: Wed Jul 19 23:11:12 2017 +0300 > > lib-storage: mailbox_watch_extract_notify_fd() - give better reason if > mailbox has no IOs > > This happens currently with virtual mailboxes. > > commit a6280be05b9c90579bb59ff57a3035661706c3d3 > Author: Timo Sirainen > Date: Wed Jul 19 23:09:13 2017 +0300 > > lib: io_loop_extract_notify_fd() - Don't crash if no notifys have been > added After some testing with 2.2.devel (bf2fa36) I wasn't able to reproduce the segfaults anymore. Thanks! signature.asc Description: PGP signature
application specific passwords
Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot http://www.justinbuchanan.com/blog/category/RoundCube http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix Those articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ
SRS and vacation message
Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? dovecot --version 2.2.29.1 (e0b76e3) # 2.2.29.1 (e0b76e3): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) doveconf: Warning: service auth { client_limit=125000 } is lower than required under max. load (15) # OS: Linux 3.10.0-514.16.1.el7.x86_64 x86_64 CentOS Linux release 7.3.1611 (Core) auth_master_user_separator = * auth_mechanisms = plain login auth_worker_max_count = 60 default_client_limit = 125000 default_process_limit = 25000 dict { quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf } disable_plaintext_auth = no listen = * log_path = /var/log/dovecot.log login_trusted_networks = xxx mail_fsync = never mail_gid = 2000 mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/ mail_max_userip_connections = 128 mail_plugins = quota zlib expire mail_uid = 2000 maildir_broken_filename_sizes = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } plugin { acl = vfile acl_shared_dict = proxy::acl auth_socket_path = /var/run/dovecot/auth-master quota = dict:user::proxy::quotadict sieve = /home/sieve/%Ld/%Ln/dovecot.sieve sieve_after = /home/sieve/dovecot.sieve sieve_default = /home/sieve/dovecot.sieve sieve_dir = /home/sieve/%Ld/%Ln sieve_global_dir = /home/sieve sieve_global_path = /home/sieve/dovecot.sieve sieve_max_redirects = 25 zlib_save = gz zlib_save_level = 9 } protocols = pop3 imap sieve lmtp service auth { service_count = 0 unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0777 user = vmail } } service imap-login { process_min_avail = 16 service_count = 0 vsz_limit = 64 M } service imap { process_limit = 4096 } service lmtp { executable = lmtp -L inet_listener lmtp { port = 24 } user = vmail } service pop3-login { process_min_avail = 16 service_count = 0 } service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = root mode = 0666 user = root } user = root } ssl_ca =
Re: under some kind of attack
I have concoted something that seems to work. And for the archives, this is it: failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: .+ssword\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1qaz2wsx\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 123321\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1234567890\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1q2w3e4r.+\) It's still reactive, and not pro-active. All the other suggestions are very much appreciated, including weakforced, however implementing that is a much larger project. Next I have to find out how to feed my fail2ban logs back to blocklist.de, to improve their mail.txt hit rate. Thanks again for all kind assistance. MJ On 07/20/2017 11:16 AM, mj wrote: Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: Return extra fields from passwd userdb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 20 Jul 2017, Michele Petrella wrote: To be more accurate, all users in ldap db need to use mail, but some users in /etc/passwd file use mail too. Does users exist in both passwd and ldap? For this reason I set up "driver=passwd" in userdb section and in /etc/nsswitch.conf I set up "passwd: files ldap". If you did this for Dovecot, revert it. Now I want to use dovecot per user quota to limit ldap users mailbox size. I need quota only for ldap users, no need for users in /etc/passwd file. Which is the correct configuration to do this? use two databases for both passdb and userdb. One using pam / passwd, the other one the standard LDAP config. see: https://wiki2.dovecot.org/Authentication/MultipleDatabases Use LDAP instead of SQL userdb and passdb. I guess, you will find posts in the sense "virtual and system users". If there is no user in both databases, the order does not matter (except for speed); otherwise: each database is tried in order of definition until a successful hit was found. You can order the passdb's and userdb's differently, e.g. if passwd-passdb is first and the user's password match, and the ldap-userdb is first and you get a hit there, the user authentificates against passwd, but its data is retrieved from LDAP. See comment in page: "look up users from SQL first (even if authentication was done using PAM!)" I understand that I need to use extra fields to obtain user quota from users db. But you said "the userdb section cannot merge two databases together". So You cannot merge, but use one-after-another. I can not use dovecot per user quota with "driver=passwd" in userdb section? I could use only global quota? P.S. 1) I use dovecot-lda as delivery agent. 2) I send again my dovecot configuration: # 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) # OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386) debug_log_path = /var/log/dovecot/dovecot_debug.log disable_plaintext_auth = no info_log_path = /var/log/state.mail/dovecot.pipe log_path = /var/log/dovecot/dovecot.log mail_debug = yes mail_gid = users mail_location = maildir:~/.maildir mail_plugins = acl quota mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace { list = yes location = maildir:/data/home/vmail/public prefix = Public/ separator = / subscriptions = no type = public } namespace { list = children location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes list = yes location = mailbox Cestino { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox "Posta inviata" { special_use = \Sent } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / subscriptions = yes type = private } passdb { args = /etc/dovecot/passwd.masterusers driver = passwd-file master = yes } passdb { driver = pam } plugin { acl = vfile:/etc/dovecot/acl:cache_secs=300 acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes quota = maildir:User quota quota_rule = *:storage=5M quota_rule2 = Trash:storage=+100M quota_rule3 = SPAM:ignore sieve = ~/.dovecot.sieve sieve_before = /var/etc/dovecot/sieve/general/ sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter sieve_global_dir = /var/etc/dovecot/sieve/global/ sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter +vnd.dovecot.pipe +editheader sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe sieve_plugins = sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { unix_listener auth-userdb { group = users } } service imap-postlogin { executable = script-login /usr/local/bin/imap-postlogin.sh user = $default_internal_user } service imap { executable = imap imap-postlogin } ssl = no ssl_cert = userdb { default_fields = quota_rule=*:bytes=%$ driver = passwd } I have problems in return extra fields from passwd userdb. My users are partially in passwd files and partially in LDAP. Users who use mail are in LDAP db. If I use "default_fields = quota_rule=*:bytes=100M" in userdb, if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}" in userdb, 1) default_fields supplies default values, if the userdb does not return them. Hence, you cannot reference a LDAP result. 2) the userdb section cannot m
Re: under some kind of attack
On 20.07.2017 12:16, mj wrote: > Hi all, > > If I may, one more question on this subject: > > I would like to create a fail2ban filer, that scans for these lines: > >> Jul 20 11:10:09 auth: Info: >> ldap(user1,60.166.35.162,): invalid credentials >> (given password: password) >> Jul 20 11:10:19 auth: Info: >> ldap(user2,61.53.66.4,): invalid credentials (given >> password: password) > > (as you can see, I have enabled auth_verbose_passwords to do this, > making me very uncomfortable...) > > Anyway: since there are only a few password variations, I would like > to block anyone using those passwords. > > (since the connections are over TLS/SSL, I cannot use iptables, as > suggested earlier) > > So I need a specific fail2ban rule that extracts the from that > line, and matches on "(given password: password)" > > Can anyone here help out with a failregex line that would match..? You could use https://github.com/PowerDNS/weakforced here. It lets you execute arbitrary actions in addition to just outright blocking the users. Aki
Re: under some kind of attack
Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: Dovecot imap
Your config looks fine, the problem is something else. Aki On 20.07.2017 11:20, nlek...@gmail.com wrote: > Hello there to all ! > > Here is the doveconf - a as asked by Aki Tuomi.. Do you see anything > wrong..? > I would appreciate mush in anyone could help ... > > # OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) > auth_mechanisms = plain login > disable_plaintext_auth = no > mail_location = maildir:~/Maildir > mail_plugins = " quota" > mbox_write_locks = fcntl > passdb { > driver = pam > } > plugin { > quota = fs:User quota > quota_grace = 10%% > quota_status_nouser = DUNNO > quota_status_overquota = 552 5.2.2 Mailbox is full > quota_status_success = DUNNO > } > protocols = imap pop3 > userdb { > driver = passwd > } > protocol imap { > mail_plugins = " quota imap_quota" > } > protocol pop3 { > pop3_uidl_format = %08Xu%08Xv > }
Re: Return extra fields from passwd userdb
You could use passdb { driver = ldap args = /path/to/dovecot-auth-ldap.conf.ext } passdb { driver = passwd skip = authenticated } instead. then you can map quota stuff for your LDAP users and not for the passwd users. Aki On 20.07.2017 11:45, Michele Petrella wrote: > Hi, > thanks for your helpful reply. > > I understand that default_fields is not my solution. > > To be more accurate, all users in ldap db need to use mail, but some > users in /etc/passwd file use mail too. > For this reason I set up "driver=passwd" in userdb section and in > /etc/nsswitch.conf I set up "passwd: files ldap". > Now I want to use dovecot per user quota to limit ldap users mailbox > size. I need quota only for ldap users, no need for users in > /etc/passwd file. > > Which is the correct configuration to do this? > I understand that I need to use extra fields to obtain user quota from > users db. But you said "the userdb section cannot merge two databases > together". So I can not use dovecot per user quota with > "driver=passwd" in userdb section? I could use only global quota? > > Thanks in advance > > Michele > > P.S. > 1) I use dovecot-lda as delivery agent. > > 2) I send again my dovecot configuration: > > # 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.18 (29cc74d) > # OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386) > debug_log_path = /var/log/dovecot/dovecot_debug.log > disable_plaintext_auth = no > info_log_path = /var/log/state.mail/dovecot.pipe > log_path = /var/log/dovecot/dovecot.log > mail_debug = yes > mail_gid = users > mail_location = maildir:~/.maildir > mail_plugins = acl quota > mail_shared_explicit_inbox = yes > mail_uid = vmail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > namespace { > list = yes > location = maildir:/data/home/vmail/public > prefix = Public/ > separator = / > subscriptions = no > type = public > } > namespace { > list = children > location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u > prefix = Shared/%%u/ > separator = / > subscriptions = no > type = shared > } > namespace inbox { > inbox = yes > list = yes > location = > mailbox Cestino { > special_use = \Trash > } > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox "Posta inviata" { > special_use = \Sent > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > separator = / > subscriptions = yes > type = private > } > passdb { > args = /etc/dovecot/passwd.masterusers > driver = passwd-file > master = yes > } > passdb { > driver = pam > } > plugin { > acl = vfile:/etc/dovecot/acl:cache_secs=300 > acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes > quota = maildir:User quota > quota_rule = *:storage=5M > quota_rule2 = Trash:storage=+100M > quota_rule3 = SPAM:ignore > sieve = ~/.dovecot.sieve > sieve_before = /var/etc/dovecot/sieve/general/ > sieve_dir = ~/sieve > sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute > sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter > sieve_global_dir = /var/etc/dovecot/sieve/global/ > sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter > +vnd.dovecot.pipe +editheader > sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe > sieve_plugins = sieve_extprograms > } > protocols = imap pop3 lmtp sieve > service auth { > unix_listener auth-userdb { > group = users > } > } > service imap-postlogin { > executable = script-login /usr/local/bin/imap-postlogin.sh > user = $default_internal_user > } > service imap { > executable = imap imap-postlogin > } > ssl = no > ssl_cert = ssl_key = # hidden, use -P to show it > userdb { > driver = passwd > } > protocol lda { > info_log_path = /var/log/dovecot/dovecot-lda.log > log_path = /var/log/dovecot/dovecot-lda.log > mail_plugins = acl quota sieve > } > protocol imap { > mail_max_userip_connections = 20 > mail_plugins = acl quota imap_acl imap_quota > } > > >>> userdb { >>> default_fields = quota_rule=*:bytes=%$ >>> driver = passwd >>> } >> >>> I have problems in return extra fields from passwd userdb. My users >>> are partially in passwd files and partially in LDAP. Users who use >>> mail are in LDAP db. >> >>> If I use "default_fields = quota_rule=*:bytes=100M" in userdb, >> >>> if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}" >>> in userdb, >> >> 1) default_fields supplies default values, if the userdb does not >> return them. Hence, you cannot reference a LDAP resu
Re: Return extra fields from passwd userdb
Hi, thanks for your helpful reply. I understand that default_fields is not my solution. To be more accurate, all users in ldap db need to use mail, but some users in /etc/passwd file use mail too. For this reason I set up "driver=passwd" in userdb section and in /etc/nsswitch.conf I set up "passwd: files ldap". Now I want to use dovecot per user quota to limit ldap users mailbox size. I need quota only for ldap users, no need for users in /etc/passwd file. Which is the correct configuration to do this? I understand that I need to use extra fields to obtain user quota from users db. But you said "the userdb section cannot merge two databases together". So I can not use dovecot per user quota with "driver=passwd" in userdb section? I could use only global quota? Thanks in advance Michele P.S. 1) I use dovecot-lda as delivery agent. 2) I send again my dovecot configuration: # 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) # OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386) debug_log_path = /var/log/dovecot/dovecot_debug.log disable_plaintext_auth = no info_log_path = /var/log/state.mail/dovecot.pipe log_path = /var/log/dovecot/dovecot.log mail_debug = yes mail_gid = users mail_location = maildir:~/.maildir mail_plugins = acl quota mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace { list = yes location = maildir:/data/home/vmail/public prefix = Public/ separator = / subscriptions = no type = public } namespace { list = children location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes list = yes location = mailbox Cestino { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox "Posta inviata" { special_use = \Sent } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / subscriptions = yes type = private } passdb { args = /etc/dovecot/passwd.masterusers driver = passwd-file master = yes } passdb { driver = pam } plugin { acl = vfile:/etc/dovecot/acl:cache_secs=300 acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes quota = maildir:User quota quota_rule = *:storage=5M quota_rule2 = Trash:storage=+100M quota_rule3 = SPAM:ignore sieve = ~/.dovecot.sieve sieve_before = /var/etc/dovecot/sieve/general/ sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter sieve_global_dir = /var/etc/dovecot/sieve/global/ sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter +vnd.dovecot.pipe +editheader sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe sieve_plugins = sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { unix_listener auth-userdb { group = users } } service imap-postlogin { executable = script-login /usr/local/bin/imap-postlogin.sh user = $default_internal_user } service imap { executable = imap imap-postlogin } ssl = no ssl_cert = userdb { default_fields = quota_rule=*:bytes=%$ driver = passwd } I have problems in return extra fields from passwd userdb. My users are partially in passwd files and partially in LDAP. Users who use mail are in LDAP db. If I use "default_fields = quota_rule=*:bytes=100M" in userdb, if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}" in userdb, 1) default_fields supplies default values, if the userdb does not return them. Hence, you cannot reference a LDAP result. 2) the userdb section cannot merge two databases together. You said "Users who use mail are in LDAP db", so you would one userdb with driver ldap. -- AFA Systems Srl Via G.Pastore Zona Industriale B 86039 Termoli (CB) - Italia tel.: +39 0875 724104 fax.: +39 0875 726084 www.afasystems.it
vacation problem with SRS
Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? I can't find anything on dovecot mailing lists
Dovecot imap
Hello there to all ! Here is the doveconf - a as asked by Aki Tuomi.. Do you see anything wrong..? I would appreciate mush in anyone could help ... # OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) auth_mechanisms = plain login disable_plaintext_auth = no mail_location = maildir:~/Maildir mail_plugins = " quota" mbox_write_locks = fcntl passdb { driver = pam } plugin { quota = fs:User quota quota_grace = 10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO } protocols = imap pop3 userdb { driver = passwd } protocol imap { mail_plugins = " quota imap_quota" } protocol pop3 { pop3_uidl_format = %08Xu%08Xv }