Re: under some kind of attack
On 21/07/2017 04:03, mj wrote: Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. This can be very tricky at times and you may actually hit quite a few legit users who are using weak passwords and have forgotten / mistyped them by accident. Seen this enough times and the amount of support required to make a sloppy & lazy customer happy again isn't always trivial. If they're few and far apart you can live with it, otherwise you'll have to reevaluate it :) Adi Pircalabu
Re: application specific passwords
* mj [2017-07-20 21:46]: > Hi Kirill, > > Thanks for your reply. Such a simple flat file approach would be perfect, > and I don't mind at all to require app specific usernames *and* passwords. In my case it's flat file, but this is easily doable with SQL as well, using a separate table for login/password and a key to a table with appropriate user data. > However, I am unsure how to combine your recipe below with our regular AD > userdb/passdb. Unfortunately, I'm not familiar with AD > Perhaps someone can give me some pointers in that direction? > > MJ > > On 07/20/2017 06:50 PM, Kirill Miazine wrote: > > I'm not familiar with samba AD and with it's features and limitation. > > For my simple system I'm using plain files for passdb and userdb (aka. > > passwd-file). Application (or rather device) specific passwords are > > implementing by using having an additional "username" with a specific > > password for a particular application or device. E.g. some entries for > > myself: > > > > bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir > > userdb_quota_rule=*:bytes=10240M > > > > The files are generated automatically from a Single Source of Truth. > > > > In my case I'm selecting the username myself, but there's nothing > > preventing you from generating a username/password combination for your > > users. > > > > Note that in my setup users will have application specific username and > > password, not only application specific password. It was easier to > > implement it quickly this way. > > > > Greetz > > Kirill > > -- -- Kirill Miazine
Re: under some kind of attack
Not applicable to most installations, but I use geographical filtering on all ports other than 25. Fine if you are the only user of the email system. I don't block countries where I will send and retrieve email. I augment this with a small blocking list of IP space where I'm OK if they read my websites, but won't be sending/receiving email from their physical location. In short, schools and universities. So for example I would have trouble sending mail from the University of Michigan or anywhere in Kahzakstan. I get one hacker a week trying to guess passwords, and always from Digital Ocean VPS. I just block them as the occur. I have list of data centers that have tried to hack my web server, which I also block from the email server other than port 25. I would like to see statistics on the success of such brute force attacks. They can't be very successful these days.
Re: under some kind of attack
I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. With all the constraints and processing, I'll offer yet another option: use the checkpassword password authentication scheme. This will bypass post-authentcation log-sniffing and allow you direct access to username, password and client IP (the last I'm not positive about) at authentication time. Now you'll have everything you need to do any wild and crazy auth processing, including database searches and triggering firewall blocking based on whatever crietria you want (including common password use). As to how to integrate it into your dovecot, I'm not sure whether it's best to supplant the LDAP method and authenticate within the checkpassword script, or to put it as the first authentication method (ahead of LDAP) to get first crack at inspect at authentication data, or the fallback authentication method (after LDAP) to pick up all the failures. However, after running honeypots, I can tell you that although BFD attackers will common use passwords, any static list of abused passwords will miss a lot. (A common one they use is $password=variations($user) or variation($domain)). Number of auth failure limits should also be a criteria for banning. Extinct users are also good candidates for instant banning. Joseph Tam
Re: application specific passwords
Hi Kirill, Thanks for your reply. Such a simple flat file approach would be perfect, and I don't mind at all to require app specific usernames *and* passwords. However, I am unsure how to combine your recipe below with our regular AD userdb/passdb. Perhaps someone can give me some pointers in that direction? MJ On 07/20/2017 06:50 PM, Kirill Miazine wrote: I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill
Re: application specific passwords
Hi,
Let me ask a more specific question.
What I would like to configure, is:
- for our internal users to use their regular AD usernam/passwords, just
as everybody can currently do.
but, new:
- for external users, to ONLY be allowed to use an application specific
password. (or username and password, fine as well)
Step one: making ldap password authentication valid only from our
internal network. I though: using allow_nets=192.168.1.0/24 for that passdb
But I can't get that to work. :-( Unsure where exactly to define the
allow_nets, tried many variations on the theme already.
Perhaps someone can help with the step one, and also tell me if the
approach outlined above is smart, valid and do-able in dovecot.
Here are our sanitised configs:
root@mails:/etc/dovecot# doveconf -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
auth_debug = yes
auth_failure_delay = 2 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot/dovecot.debug
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
info_log_path = /var/log/dovecot/dovecot.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.err
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
namespace {
list = children
location =
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
prefix = shared/%%n/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox "Deleted items" {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent items" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
mailbox inbox {
auto = subscribe
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
skip = authenticated
}
plugin {
acl = vfile
acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
append
mail_log_fields = uid box msgid from subject
quota = maildir
quota_rule = ?:storage=5G
quota_rule2 = Trash:storage=+100M
quota_warning = storage=97%% quota-warning 97 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_warning5 = storage=80%% quota-warning 80 %u
quota_warning6 = -storage=100%% quota-warning below %u
sieve = ~/.dovecot.sieve
sieve_default = /var/lib/dovecot/default.sieve
sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
}
}
service imap-login {
process_limit = 500
process_min_avail = 2
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
ssl_ca =
and our dovecot-ldap.conf.ext:
hosts = ldap1 ldap2 ldap3
dn = cn=search,cn=
dnpass = secretashell
tls = no
debug_level = 0
auth_bind = yes
base = CN=Users, DC=.
scope = subtree
user_attrs =
=home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24
user_filter =
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter =
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)
MJ
Re: under some kind of attack
On 07/20/2017 08:47 PM, Robert Schetterer wrote: Ok I understand, not a bad idea, report how it works for you That "report how it works for you" was exactly why I posted the fail2ban failregex back to the list. :-) So others can use it too. It works fantastic, and I ombined it now with blocking complete countries at the firewall-level. Users have their regular three login tries, and get a password dialogue if they changed their password. (which many did, in the light of this attack) And the last botnet attempts remaining, using "password" etc are blocked instantly. Works nicely. :-) Now I want to implement application specific passwords, I will post about that in a seperate message. As you have been such a great help, perhaps you can also help a little bit in that thread...? Thanks again, MJ
Re: under some kind of attack
Am 20.07.2017 um 20:03 schrieb mj: > Hi Robert, > >> i dont understand why you focused on that ldap strings >> fail2ban should trigger on some "Authentication failure" regex in the >> related syslog >> >> perhaps this will help to make it more clear >> >> http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Yes, but I have that as well. :-) > > I wanted two kinds of blockings: > > #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, > etc, etc) to become blocked *immediately* and for *always*. > > #2: I wanted all others have to have the 'regular' settings, with three > shots at typing a password, etc. > > #2 being the 'regular fail2ban' settings, but during this attack, I > wanted special settings, #1, for anyone trying one of the malicious > passwords. > > I did NOT want to have them the usual three opportunities to try. > > In fact: this is a bit similar to your iptables solution, but that only > works for non-ssl/non-tls connections. > > Your iptables solution makes sure that thy cannot authenticate *at all*, > while the above solution makes sure they can only authnticate *once*. > > MJ Ok I understand, not a bad idea, report how it works for you Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: vacation problem with SRS
I have this version with FIXME /* FIXME: If From header of message has same address, we should use that * instead to properly include the phrase part. */ rfc2822_header_printf(msg, "To", "<%s>", reply_to); This should be work ok? Or You must change something? 2017-07-20 15:51 GMT+02:00 Stephan Bosch : > > > Op 20-7-2017 om 10:37 schreef Kacper Guzik: > > Hi i have similiar problem like here: >> >> http://www.iredmail.org/forum/topic11833-iredmail-support-vo >> cation-respone-unknown-user.html >> >> >> email send : >> from : web...@gmail.com >> to : ja...@mail.com >> >> vocation sent back >> from : ja...@mail.com >> to : srs0=hmc8=v7=gmail.com=web...@mail.com >> >> >> >> postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= >> gmail.com=web...@mail.com >> >> this is no problem for me but sieve: >> >> Vacation's messages are always addressed to the Return-Path address >> >> it is possible some how change this ugly to header to normal? >> >> I can't find anything on dovecot mailing lists >> > > Hmm, > > I think this relates to this FIXME: > > https://github.com/dovecot/pigeonhole/blob/master/src/lib- > sieve/plugins/vacation/cmd-vacation.c#L951 > > Looks like I've been just lazy. Should be relatively easy to fix. > > Regards, > > Stephan. >
Re: under some kind of attack
Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. #2: I wanted all others have to have the 'regular' settings, with three shots at typing a password, etc. #2 being the 'regular fail2ban' settings, but during this attack, I wanted special settings, #1, for anyone trying one of the malicious passwords. I did NOT want to have them the usual three opportunities to try. In fact: this is a bit similar to your iptables solution, but that only works for non-ssl/non-tls connections. Your iptables solution makes sure that thy cannot authenticate *at all*, while the above solution makes sure they can only authnticate *once*. MJ
Re: application specific passwords
Hi, mj * mj [2017-07-20 13:29]: > Hi, > > Further to the other thread about password guessing activities against our > dovecot, I would like to implement application specific passwords on our > dovecot. [...] > > Is there anone here with some additional notes, ideas, tips, trics on > setting up application specific passwords with dovecot with virtual users? > We are using samba AD as an authentication backend. I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill -- -- Kirill Miazine
Re: under some kind of attack
Am 20.07.2017 um 12:28 schrieb mj: > I have concoted something that seems to work. And for the archives, this > is it: > >> failregex = auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: .+ssword\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1qaz2wsx\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 123321\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1234567890\) >> auth: Info: ldap\(.+,,.+\): invalid credentials >> \(given password: 1q2w3e4r.+\) > > It's still reactive, and not pro-active. > > All the other suggestions are very much appreciated, including > weakforced, however implementing that is a much larger project. i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot > > Next I have to find out how to feed my fail2ban logs back to > blocklist.de, to improve their mail.txt hit rate. > > Thanks again for all kind assistance. > > MJ > > On 07/20/2017 11:16 AM, mj wrote: >> Hi all, >> >> If I may, one more question on this subject: >> >> I would like to create a fail2ban filer, that scans for these lines: >> >>> Jul 20 11:10:09 auth: Info: >>> ldap(user1,60.166.35.162,): invalid credentials >>> (given password: password) >>> Jul 20 11:10:19 auth: Info: >>> ldap(user2,61.53.66.4,): invalid credentials (given >>> password: password) >> >> (as you can see, I have enabled auth_verbose_passwords to do this, >> making me very uncomfortable...) >> >> Anyway: since there are only a few password variations, I would like >> to block anyone using those passwords. >> >> (since the connections are over TLS/SSL, I cannot use iptables, as >> suggested earlier) >> >> So I need a specific fail2ban rule that extracts the from that >> line, and matches on "(given password: password)" >> >> Can anyone here help out with a failregex line that would match..? Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: vacation problem with SRS
Op 20-7-2017 om 10:37 schreef Kacper Guzik: Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? I can't find anything on dovecot mailing lists Hmm, I think this relates to this FIXME: https://github.com/dovecot/pigeonhole/blob/master/src/lib-sieve/plugins/vacation/cmd-vacation.c#L951 Looks like I've been just lazy. Should be relatively easy to fix. Regards, Stephan.
Re: application specific passwords
Quoting mj : Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot http://www.justinbuchanan.com/blog/category/RoundCube http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix Those articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ I'm working on PrivacyIdea (PI) integration for 2FA. The reason I mention this for app passwords is because PI allows multiple 'tokens' that aren't just for 2FA. This would allow you give your users a web portal to create 'password' (SPASS) tokens - using their AD pass to auth to the portal. Then using PAM Radius, Dovecot can auth against the multiple password tokens. Personally - I'm not too thrilled about having users have multiple passwords for IMAP - BUT if you're trying to protect the AD password, this would be a method of isolating AD away. You can set PI to fall back to the AD password if the user doesn't have a token, so integration is pretty seamless. You can also do some fancy policy-based token matching to require 2FA for say - webmail - and allow SPASS for POP/IMAP. This is what I'm aiming for, but I've had issues with the webmail client portion (user using 2FA, and IMAP being hardcoded) and haven't gotten back to it to truely guide anyone else through it. Rick
Re: 2.2.devel (0bee280) crashdump virtual plugin
* Aki Tuomi 2017.07.20 05:40: > Should be fixed with > > commit 81e832796cdc6af790ed7be8a6c150889f03171c > Author: Timo Sirainen > Date: Wed Jul 19 23:19:12 2017 +0300 > > virtual: Optimize mailbox_notify_changes() when there's only a single > backend mailbox > > commit 2044eb7652b864a05842933e9097c583cb11256c > Author: Timo Sirainen > Date: Wed Jul 19 23:11:12 2017 +0300 > > lib-storage: mailbox_watch_extract_notify_fd() - give better reason if > mailbox has no IOs > > This happens currently with virtual mailboxes. > > commit a6280be05b9c90579bb59ff57a3035661706c3d3 > Author: Timo Sirainen > Date: Wed Jul 19 23:09:13 2017 +0300 > > lib: io_loop_extract_notify_fd() - Don't crash if no notifys have been > added After some testing with 2.2.devel (bf2fa36) I wasn't able to reproduce the segfaults anymore. Thanks! signature.asc Description: PGP signature
application specific passwords
Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot http://www.justinbuchanan.com/blog/category/RoundCube http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix Those articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ
SRS and vacation message
Hi i have similiar problem like here:
http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html
email send :
from : web...@gmail.com
to : ja...@mail.com
vocation sent back
from : ja...@mail.com
to : srs0=hmc8=v7=gmail.com=web...@mail.com
postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7=
gmail.com=web...@mail.com
this is no problem for me but sieve:
Vacation's messages are always addressed to the Return-Path address
it is possible some how change this ugly to header to normal?
dovecot --version
2.2.29.1 (e0b76e3)
# 2.2.29.1 (e0b76e3): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
doveconf: Warning: service auth { client_limit=125000 } is lower than
required under max. load (15)
# OS: Linux 3.10.0-514.16.1.el7.x86_64 x86_64 CentOS Linux release 7.3.1611
(Core)
auth_master_user_separator = *
auth_mechanisms = plain login
auth_worker_max_count = 60
default_client_limit = 125000
default_process_limit = 25000
dict {
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
disable_plaintext_auth = no
listen = *
log_path = /var/log/dovecot.log
login_trusted_networks = xxx
mail_fsync = never
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_max_userip_connections = 128
mail_plugins = quota zlib expire
mail_uid = 2000
maildir_broken_filename_sizes = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
auth_socket_path = /var/run/dovecot/auth-master
quota = dict:user::proxy::quotadict
sieve = /home/sieve/%Ld/%Ln/dovecot.sieve
sieve_after = /home/sieve/dovecot.sieve
sieve_default = /home/sieve/dovecot.sieve
sieve_dir = /home/sieve/%Ld/%Ln
sieve_global_dir = /home/sieve
sieve_global_path = /home/sieve/dovecot.sieve
sieve_max_redirects = 25
zlib_save = gz
zlib_save_level = 9
}
protocols = pop3 imap sieve lmtp
service auth {
service_count = 0
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
mode = 0777
user = vmail
}
}
service imap-login {
process_min_avail = 16
service_count = 0
vsz_limit = 64 M
}
service imap {
process_limit = 4096
}
service lmtp {
executable = lmtp -L
inet_listener lmtp {
port = 24
}
user = vmail
}
service pop3-login {
process_min_avail = 16
service_count = 0
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
group = root
mode = 0666
user = root
}
user = root
}
ssl_ca =
Re: under some kind of attack
I have concoted something that seems to work. And for the archives, this is it: failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: .+ssword\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1qaz2wsx\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 123321\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1234567890\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1q2w3e4r.+\) It's still reactive, and not pro-active. All the other suggestions are very much appreciated, including weakforced, however implementing that is a much larger project. Next I have to find out how to feed my fail2ban logs back to blocklist.de, to improve their mail.txt hit rate. Thanks again for all kind assistance. MJ On 07/20/2017 11:16 AM, mj wrote: Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: Return extra fields from passwd userdb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 20 Jul 2017, Michele Petrella wrote:
To be more accurate, all users in ldap db need to use mail, but some users in
/etc/passwd file use mail too.
Does users exist in both passwd and ldap?
For this reason I set up "driver=passwd" in userdb section and in
/etc/nsswitch.conf I set up "passwd: files ldap".
If you did this for Dovecot, revert it.
Now I want to use dovecot per user quota to limit ldap users mailbox size. I
need quota only for ldap users, no need for users in /etc/passwd file.
Which is the correct configuration to do this?
use two databases for both passdb and userdb. One using pam / passwd, the
other one the standard LDAP config.
see:
https://wiki2.dovecot.org/Authentication/MultipleDatabases
Use LDAP instead of SQL userdb and passdb.
I guess, you will find posts in the sense "virtual and system users".
If there is no user in both databases, the order does not matter (except
for speed); otherwise:
each database is tried in order of definition until a successful hit was
found.
You can order the passdb's and userdb's differently, e.g. if passwd-passdb
is first and the user's password match, and the ldap-userdb is first and
you get a hit there, the user authentificates against passwd, but its data
is retrieved from LDAP.
See comment in page: "look up users from SQL first (even if authentication
was done using PAM!)"
I understand that I need to use extra fields to obtain user quota from users
db. But you said "the userdb section cannot merge two databases together". So
You cannot merge, but use one-after-another.
I can not use dovecot per user quota with "driver=passwd" in userdb section?
I could use only global quota?
P.S.
1) I use dovecot-lda as delivery agent.
2) I send again my dovecot configuration:
# 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386)
debug_log_path = /var/log/dovecot/dovecot_debug.log
disable_plaintext_auth = no
info_log_path = /var/log/state.mail/dovecot.pipe
log_path = /var/log/dovecot/dovecot.log
mail_debug = yes
mail_gid = users
mail_location = maildir:~/.maildir
mail_plugins = acl quota
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
namespace {
list = yes
location = maildir:/data/home/vmail/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace {
list = children
location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u
prefix = Shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
list = yes
location =
mailbox Cestino {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox "Posta inviata" {
special_use = \Sent
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
}
passdb {
driver = pam
}
plugin {
acl = vfile:/etc/dovecot/acl:cache_secs=300
acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes
quota = maildir:User quota
quota_rule = *:storage=5M
quota_rule2 = Trash:storage=+100M
quota_rule3 = SPAM:ignore
sieve = ~/.dovecot.sieve
sieve_before = /var/etc/dovecot/sieve/general/
sieve_dir = ~/sieve
sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute
sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter
sieve_global_dir = /var/etc/dovecot/sieve/global/
sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter
+vnd.dovecot.pipe +editheader
sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe
sieve_plugins = sieve_extprograms
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener auth-userdb {
group = users
}
}
service imap-postlogin {
executable = script-login /usr/local/bin/imap-postlogin.sh
user = $default_internal_user
}
service imap {
executable = imap imap-postlogin
}
ssl = no
ssl_cert =
userdb {
default_fields = quota_rule=*:bytes=%$
driver = passwd
}
I have problems in return extra fields from passwd userdb. My users are
partially in passwd files and partially in LDAP. Users who use mail are in
LDAP db.
If I use "default_fields = quota_rule=*:bytes=100M" in userdb,
if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}" in
userdb,
1) default_fields supplies default values, if the userdb does not return
them. Hence, you cannot reference a LDAP result.
2) the userdb section cannot m
Re: under some kind of attack
On 20.07.2017 12:16, mj wrote: > Hi all, > > If I may, one more question on this subject: > > I would like to create a fail2ban filer, that scans for these lines: > >> Jul 20 11:10:09 auth: Info: >> ldap(user1,60.166.35.162,): invalid credentials >> (given password: password) >> Jul 20 11:10:19 auth: Info: >> ldap(user2,61.53.66.4,): invalid credentials (given >> password: password) > > (as you can see, I have enabled auth_verbose_passwords to do this, > making me very uncomfortable...) > > Anyway: since there are only a few password variations, I would like > to block anyone using those passwords. > > (since the connections are over TLS/SSL, I cannot use iptables, as > suggested earlier) > > So I need a specific fail2ban rule that extracts the from that > line, and matches on "(given password: password)" > > Can anyone here help out with a failregex line that would match..? You could use https://github.com/PowerDNS/weakforced here. It lets you execute arbitrary actions in addition to just outright blocking the users. Aki
Re: under some kind of attack
Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: Dovecot imap
Your config looks fine, the problem is something else.
Aki
On 20.07.2017 11:20, nlek...@gmail.com wrote:
> Hello there to all !
>
> Here is the doveconf - a as asked by Aki Tuomi.. Do you see anything
> wrong..?
> I would appreciate mush in anyone could help ...
>
> # OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)
> auth_mechanisms = plain login
> disable_plaintext_auth = no
> mail_location = maildir:~/Maildir
> mail_plugins = " quota"
> mbox_write_locks = fcntl
> passdb {
> driver = pam
> }
> plugin {
> quota = fs:User quota
> quota_grace = 10%%
> quota_status_nouser = DUNNO
> quota_status_overquota = 552 5.2.2 Mailbox is full
> quota_status_success = DUNNO
> }
> protocols = imap pop3
> userdb {
> driver = passwd
> }
> protocol imap {
> mail_plugins = " quota imap_quota"
> }
> protocol pop3 {
> pop3_uidl_format = %08Xu%08Xv
> }
Re: Return extra fields from passwd userdb
You could use
passdb {
driver = ldap
args = /path/to/dovecot-auth-ldap.conf.ext
}
passdb {
driver = passwd
skip = authenticated
}
instead. then you can map quota stuff for your LDAP users and not for
the passwd users.
Aki
On 20.07.2017 11:45, Michele Petrella wrote:
> Hi,
> thanks for your helpful reply.
>
> I understand that default_fields is not my solution.
>
> To be more accurate, all users in ldap db need to use mail, but some
> users in /etc/passwd file use mail too.
> For this reason I set up "driver=passwd" in userdb section and in
> /etc/nsswitch.conf I set up "passwd: files ldap".
> Now I want to use dovecot per user quota to limit ldap users mailbox
> size. I need quota only for ldap users, no need for users in
> /etc/passwd file.
>
> Which is the correct configuration to do this?
> I understand that I need to use extra fields to obtain user quota from
> users db. But you said "the userdb section cannot merge two databases
> together". So I can not use dovecot per user quota with
> "driver=passwd" in userdb section? I could use only global quota?
>
> Thanks in advance
>
> Michele
>
> P.S.
> 1) I use dovecot-lda as delivery agent.
>
> 2) I send again my dovecot configuration:
>
> # 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.18 (29cc74d)
> # OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386)
> debug_log_path = /var/log/dovecot/dovecot_debug.log
> disable_plaintext_auth = no
> info_log_path = /var/log/state.mail/dovecot.pipe
> log_path = /var/log/dovecot/dovecot.log
> mail_debug = yes
> mail_gid = users
> mail_location = maildir:~/.maildir
> mail_plugins = acl quota
> mail_shared_explicit_inbox = yes
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace {
> list = yes
> location = maildir:/data/home/vmail/public
> prefix = Public/
> separator = /
> subscriptions = no
> type = public
> }
> namespace {
> list = children
> location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u
> prefix = Shared/%%u/
> separator = /
> subscriptions = no
> type = shared
> }
> namespace inbox {
> inbox = yes
> list = yes
> location =
> mailbox Cestino {
> special_use = \Trash
> }
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox "Posta inviata" {
> special_use = \Sent
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> separator = /
> subscriptions = yes
> type = private
> }
> passdb {
> args = /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> }
> passdb {
> driver = pam
> }
> plugin {
> acl = vfile:/etc/dovecot/acl:cache_secs=300
> acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes
> quota = maildir:User quota
> quota_rule = *:storage=5M
> quota_rule2 = Trash:storage=+100M
> quota_rule3 = SPAM:ignore
> sieve = ~/.dovecot.sieve
> sieve_before = /var/etc/dovecot/sieve/general/
> sieve_dir = ~/sieve
> sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute
> sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter
> sieve_global_dir = /var/etc/dovecot/sieve/global/
> sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter
> +vnd.dovecot.pipe +editheader
> sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe
> sieve_plugins = sieve_extprograms
> }
> protocols = imap pop3 lmtp sieve
> service auth {
> unix_listener auth-userdb {
> group = users
> }
> }
> service imap-postlogin {
> executable = script-login /usr/local/bin/imap-postlogin.sh
> user = $default_internal_user
> }
> service imap {
> executable = imap imap-postlogin
> }
> ssl = no
> ssl_cert = ssl_key = # hidden, use -P to show it
> userdb {
> driver = passwd
> }
> protocol lda {
> info_log_path = /var/log/dovecot/dovecot-lda.log
> log_path = /var/log/dovecot/dovecot-lda.log
> mail_plugins = acl quota sieve
> }
> protocol imap {
> mail_max_userip_connections = 20
> mail_plugins = acl quota imap_acl imap_quota
> }
>
>
>>> userdb {
>>> default_fields = quota_rule=*:bytes=%$
>>> driver = passwd
>>> }
>>
>>> I have problems in return extra fields from passwd userdb. My users
>>> are partially in passwd files and partially in LDAP. Users who use
>>> mail are in LDAP db.
>>
>>> If I use "default_fields = quota_rule=*:bytes=100M" in userdb,
>>
>>> if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}"
>>> in userdb,
>>
>> 1) default_fields supplies default values, if the userdb does not
>> return them. Hence, you cannot reference a LDAP resu
Re: Return extra fields from passwd userdb
Hi,
thanks for your helpful reply.
I understand that default_fields is not my solution.
To be more accurate, all users in ldap db need to use mail, but some
users in /etc/passwd file use mail too.
For this reason I set up "driver=passwd" in userdb section and in
/etc/nsswitch.conf I set up "passwd: files ldap".
Now I want to use dovecot per user quota to limit ldap users mailbox
size. I need quota only for ldap users, no need for users in /etc/passwd
file.
Which is the correct configuration to do this?
I understand that I need to use extra fields to obtain user quota from
users db. But you said "the userdb section cannot merge two databases
together". So I can not use dovecot per user quota with "driver=passwd"
in userdb section? I could use only global quota?
Thanks in advance
Michele
P.S.
1) I use dovecot-lda as delivery agent.
2) I send again my dovecot configuration:
# 2.2.29.1 (e0b76e3): /var/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: Linux 3.10.55-gentoo i686 SuSE Linux 7.1 (i386)
debug_log_path = /var/log/dovecot/dovecot_debug.log
disable_plaintext_auth = no
info_log_path = /var/log/state.mail/dovecot.pipe
log_path = /var/log/dovecot/dovecot.log
mail_debug = yes
mail_gid = users
mail_location = maildir:~/.maildir
mail_plugins = acl quota
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext
namespace {
list = yes
location = maildir:/data/home/vmail/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace {
list = children
location = maildir:/data/home/%%n/.maildir:INDEX=~/.maildir/shared/%%u
prefix = Shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
list = yes
location =
mailbox Cestino {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox "Posta inviata" {
special_use = \Sent
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
}
passdb {
driver = pam
}
plugin {
acl = vfile:/etc/dovecot/acl:cache_secs=300
acl_shared_dict = file:/var/lib/dovecot-dict/shared-mailboxes
quota = maildir:User quota
quota_rule = *:storage=5M
quota_rule2 = Trash:storage=+100M
quota_rule3 = SPAM:ignore
sieve = ~/.dovecot.sieve
sieve_before = /var/etc/dovecot/sieve/general/
sieve_dir = ~/sieve
sieve_execute_bin_dir = /usr/local/bin/dovecot/sieve-execute
sieve_filter_bin_dir = /usr/local/bin/dovecot/sieve-filter
sieve_global_dir = /var/etc/dovecot/sieve/global/
sieve_global_extensions = +vnd.dovecot.execute +vnd.dovecot.filter
+vnd.dovecot.pipe +editheader
sieve_pipe_bin_dir = /usr/local/bin/dovecot/sieve-pipe
sieve_plugins = sieve_extprograms
}
protocols = imap pop3 lmtp sieve
service auth {
unix_listener auth-userdb {
group = users
}
}
service imap-postlogin {
executable = script-login /usr/local/bin/imap-postlogin.sh
user = $default_internal_user
}
service imap {
executable = imap imap-postlogin
}
ssl = no
ssl_cert =
userdb {
default_fields = quota_rule=*:bytes=%$
driver = passwd
}
I have problems in return extra fields from passwd userdb. My users
are partially in passwd files and partially in LDAP. Users who use
mail are in LDAP db.
If I use "default_fields = quota_rule=*:bytes=100M" in userdb,
if I use "default_fields = quota_rule=*:bytes=%{userdb:quotabytes}"
in userdb,
1) default_fields supplies default values, if the userdb does not
return them. Hence, you cannot reference a LDAP result.
2) the userdb section cannot merge two databases together. You said
"Users who use mail are in LDAP db", so you would one userdb with
driver ldap.
--
AFA Systems Srl
Via G.Pastore
Zona Industriale B
86039 Termoli (CB) - Italia
tel.: +39 0875 724104
fax.: +39 0875 726084
www.afasystems.it
vacation problem with SRS
Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vocation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? I can't find anything on dovecot mailing lists
Dovecot imap
Hello there to all !
Here is the doveconf - a as asked by Aki Tuomi.. Do you see anything
wrong..?
I would appreciate mush in anyone could help ...
# OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)
auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mail_plugins = " quota"
mbox_write_locks = fcntl
passdb {
driver = pam
}
plugin {
quota = fs:User quota
quota_grace = 10%%
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
}
protocols = imap pop3
userdb {
driver = passwd
}
protocol imap {
mail_plugins = " quota imap_quota"
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
