Re: under another kind of attack
On 2017-07-25 09:37, Olaf Hopp wrote: But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user OSSEC has at least two ways of stopping these: 1. Repeat offenders option: this keeps track of the IP and increases the block time if they come back (within a defined timeframe). 2. You can simply overwrite the rule looking for repeated attempts from the same IP and increase the timeframe option to hours instead of minutes. Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! In this case, it looks like it's coming from several different IPs. If the IPs are in geographic regions which should never have a need to log in, you can deny them preemptively in rules. You can also simply look for any attempt to authenticate to an unknown user and block that. It would be interesting to try to figure out a way to look for deviations from the normal naming convention, or perhaps try to identify something that looks random. There are other options, as well. You can set up a CDB list with known bad IPs and populate them from threat lists of your choice. All around, I think you'll find it much more capable and robust than fail2ban. Disclaimer: I wrote the OSSEC Dovecot ruleset several years ago. I don't know if it is current (but I think it is being maintained).
Re: under another kind of attack
Olaf Hoppwrites: I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. Slow roll distributed attacks. Really hard to stop. And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? All the time, and to many services. If you need to be fault tolerant, you'll either have to set tolerant limits (allow reasonable number of failures), or timeout features. You could also track successful logins as whitelisting entries for future logins. Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Nearly an intractable problem, especially since your users are embedded in a notoriously infested network (as someone quipped, "like picking marshmallows out from a pile of sh*t"). Some ideas: - pre-emption (using third party RBLs that targets BFD) - immediate blacklisting of known bad users/passwords (e.g. "admin", "support", extinct users, etc.) - persistent tracking storage: tracking in SQL, or or large LRU list that can reach far enough back in time. (I think Aki mentioned weakforced which you can use instead if fail2ban to implement some of these things.) There are other solutions like alternate ports, port knocking, certificate authentication, or VPN, but they are hard/impossible to do with a large userbase, or have high setup/amortization costs. If you have a enforced strong password policy, these brute forcers have little chance of succeeding, so maybe the easiest cheapest policy is to ignore it. Joseph Tam
Re: under another kind of attack
"mourik jan c heupink"writes: On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own backend by taking over authentication. You'll be accepting user/password inputs into your checkpassword executable, then use the LDAP API (or some other system...snip and source address, which will be adversely affect performance on a busy server as authentication data cannot be cached. While this sounds awesome, it can do much more than what I was/am after, and appears lot more complicated to setup than what I had figured myself. Shouldn't I be able to do something like this: passdb { driver = passwd-file # application specific passwd-file should work from anywhere # (so: no allow_nets) args = /etc/dovecot/dovecot-application-specific } passdb { # only allowed to use this from within local 192.168.1.0/24 args = /etc/dovecot/dovecot-ldap.conf.ext allow_nets=192.168.1.0/24 driver = ldap } Yes, that would take care of *one* of the items on your wishlist (network specific passwords). You also wanted time specific passwords. And intelligent brute force detection. And blacklist lookups. Rather than cobbling together fail2ban, utility scripts, multiple passdbs, firewall rules and whatever other system you'll need to recruit, I'm suggesting you amortize the effort and pack it into one place, then you can extend this to incorporate whatever your heart desires. The complexity of implementing this reflects the complexity of your requirements. If you only had generic authentication needs, then the dovecot supplied facilities would be perfect. But you don't. Where I would generate lines in dovecot-application-specific using a script or some webpage, and generate lines like: username1:randomONE:vmail:vmail::/var/vmail/username1: username1:randomTWO:vmail:vmail::/var/vmail/username1: username2:randomTHREE:vmail:vmail::/var/vmail/username2: username2:randomFOUR:vmail:vmail::/var/vmail/username2: And the result would be: username1 can login from anywhere, using passwords "randomONE" & "randomTWO", plus the password in ldap when coming from the internal network. You'll probably need 3 passdb, LDAP and 2 fallback passwd-file dbs. Joseph Tam
Re: under another kind of attack
Am 25.07.2017 um 16:54 schrieb mj: > Hi Olaf, > > Since we implemented country blocking, everything seems nicely under > control, with only 'normal levels' of knocking. > > We first have impemented: > http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip > > > Then we did: > https://github.com/firehol/blocklist-ipsets simply geoip blocking may work at your site but it does not work for many other cases > > And finale iptables rules like these: > >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP >> >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP >> >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc >> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP >> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP > > I tried to combine the various dports in one single rule, but that > didn't seem to work. Perhaps someone here knows how to combine --match > "geoip" and "multiport" in one single rule? > > Anyway: for us these combined measures did the tric. > > Users in one of the imap-blocked countries will have to use ActiveSync > (works over https), the webmail-interface, or launch the VPN first. > > This works for us. > > Only one thing on my wishlist: application specific passwords. I would > very much appreciate a respond on that thread... (posted yesterday > evening, with a pseudo-dovecot-config file...) > > Hope the above helps you a bit, Olaf. > > MJ > > On 07/25/2017 04:37 PM, Olaf Hopp wrote: >> Hi folks, >> >> "somehow" similar to the thread "under some kind oof attack" started >> by "MJ": >> >> I have dovecot shielded by fail2ban which works fine. >> But since a few days I see many many IPs per day knocking on >> my doors with wron password and/or users. But the rate at which they >> are knocking >> is very very low. So fail2ban will never catch them. >> >> For example one IP: >> >> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): >> pam(eurodisc,101.231.247.210,): unknown user >> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): >> pam(gergei,101.231.247.210,): pam_authenticate() >> failed: Authentication failure (password mismatch?) >> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): >> pam(icpe,101.231.247.210,): unknown user >> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): >> pam(endsulei,101.231.247.210,): unknown user >> >> Note the timestamps. >> If I look the other way round (tries to one account) I'll get >> >> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): >> pam(endsulei,60.166.12.117,): unknown user >> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): >> pam(endsulei,222.243.211.200,): unknown user >> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): >> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user >> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): >> pam(endsulei,222.84.118.83,): unknown user >> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): >> pam(endsulei,101.231.247.210,): unknown user >> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): >> pam(endsulei,206.214.0.120,): unknown user >> >> Also note the timestamps! >> >> And I see many many distinct IPs per day (a few hundred) trying many >> many existing and non-existings accounts. >> As you see in the timestamps in my examples, this can not be handled >> by fail2ban without affecting >> regular users with typos. >> Is anybody observing something similar ? >> Anybody an idea against this ? >> Many of these observed IPs are chinese mobile IPs, if this matters. >> But we have also chinese students and >> researchers all abroad. >> >> >> Regards, >> Olaf >> Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: under another kind of attack
Am 25.07.2017 um 16:37 schrieb Olaf Hopp: > Hi folks, > > "somehow" similar to the thread "under some kind oof attack" started by > "MJ": > > I have dovecot shielded by fail2ban which works fine. > But since a few days I see many many IPs per day knocking on > my doors with wron password and/or users. But the rate at which they are > knocking > is very very low. So fail2ban will never catch them. > > For example one IP: > > Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): > pam(eurodisc,101.231.247.210,): unknown user > Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): > pam(gergei,101.231.247.210,): pam_authenticate() > failed: Authentication failure (password mismatch?) > Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): > pam(icpe,101.231.247.210,): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,): unknown user > > Note the timestamps. > If I look the other way round (tries to one account) I'll get > > Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): > pam(endsulei,60.166.12.117,): unknown user > Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): > pam(endsulei,222.243.211.200,): unknown user > Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): > pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user > Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): > pam(endsulei,222.84.118.83,): unknown user > Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): > pam(endsulei,101.231.247.210,): unknown user > Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): > pam(endsulei,206.214.0.120,): unknown user > > Also note the timestamps! > > And I see many many distinct IPs per day (a few hundred) trying many > many existing and non-existings accounts. > As you see in the timestamps in my examples, this can not be handled by > fail2ban without affecting > regular users with typos. > Is anybody observing something similar ? all the time ,since years, in my case its always schema user xyz.abc in my case all username without @ could be dropped at once a regex deny should be fine, but i havent implemented/thinked of it cause it comming in small waves and mostly fail2ban stops it soon > Anybody an idea against this ? > Many of these observed IPs are chinese mobile IPs, if this matters. But > we have also chinese students and > researchers all abroad. > > > Regards, > Olaf > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: SIEVE: handling of lineending in fields
On 25.07.2017 13:54, Stephan Bosch wrote: > > > Op 22-7-2017 om 18:02 schreef Ingo Thierack: >> Hello, >> >> migrated von the mailserver from centos to alpine linux. Most parts are >> run well. >> >> dovecot 2.2.31 >> sieve: 0.4.19 >> >> But i fight with on behavior. >> >> I have an sieve script which pipes a few fields to an external script >> which send this data to an telegram-bot. >> >> the part of the sieve-script. >> >> if header :matches "Subject" "*" { >> set "subject" "${1}"; >> } >> if header :matches "from" "*" { >> set "from" "${1}"; >> } >> if header :matches "to" "*" { >> set "to" "${1}"; >> } >> >> foreverypart >> { >> if header :mime :type :is "Content-Type" "text" >> { >> extracttext :first 30 "msgcontent"; >> break; >> } >> } >> >> pipe :copy :try "notify.sh" [ "", "(${from})#${to}#${subject}", >> "\"${msgcontent}\"" ]; >> >> What i get now is an error about looks like encoding of the linefeeds. >> >> default: line 107: error: specified :args item `"test 4??"' is invalid. >> >> Here is sent a mail which contains in subject "test 4". >> >> or >> default: line 107: error: specified :args item `"?? ?? ??? ??? Oracle >> Magazine "' is invalid. >> >> Here is sent a mail which contains in subject "test 4". >> >> On centos this was never an problem. With alpine-linux this process is >> complete broken. >> >> Any hints, where to look and maybee fix thie behavior? Mybe its ab >> problem with the libmusl which used in alpine. > > This is nothing new: > > https://github.com/dovecot/pigeonhole/blob/master/doc/rfc/spec-bosch-sieve-extprograms.txt#L149 > > https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/sieve-extprograms-common.c#L191 > (code is at least 4 years old) > > I could add an option to allow newlines, but I am not sure that is a > good idea per se. > > Regards, > > Stephan. What kind of problems are expected, if CR and LF are allowed? Maybe there are other control chars which are also problematic. Think every char below 0x20 could be. Should not be in a normal mail, but who knows As of now, I have the code part, I'll try to create for my installation/package a patch, which allows CR/LF, or if i see here an problem replace it by an space. So no general change necessary i think. Regards, Ingo signature.asc Description: OpenPGP digital signature
Re: last_logon SQL mapping
> On July 22, 2017 at 4:42 PM viperwrote: > > > Hi > > I have been attempting to do a mapping on the last_logon plugin. I have > been reading the documentation on mapping. is there any way to customise > a little more and create a individual SQL query for each of the > functions SELECT and UPDATE, my current SQL setup has the username and > domain in separate tables and my user_query and password_query are > concat which I do not believe can be defined in the dictionary map > process, I was also wanting to use datatime as the saved field but it > seems only the unix timestamp is used. If there is any way to create a > fully custom query that can be executed I believe this would allow me to > preform the action am looking for in the same manner as the user_query > and password_query > > If anyone has any suggestions please let me know > > Regards > > Craig Hi! The last_login plugin uses dict interface to update the last login values, so custom SQL is not feasible to do. In your case it's probably best to use postlogin script instead, although it will make last login information less accurate. Aki
last_logon SQL mapping
Hi I have been attempting to do a mapping on the last_logon plugin. I have been reading the documentation on mapping. is there any way to customise a little more and create a individual SQL query for each of the functions SELECT and UPDATE, my current SQL setup has the username and domain in separate tables and my user_query and password_query are concat which I do not believe can be defined in the dictionary map process, I was also wanting to use datatime as the saved field but it seems only the unix timestamp is used. If there is any way to create a fully custom query that can be executed I believe this would allow me to preform the action am looking for in the same manner as the user_query and password_query If anyone has any suggestions please let me know Regards Craig
Re: under another kind of attack
Olaf Hopp wrote on 25.07.2017 16:37: Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf For those "unknown user" attacks on Dovecot we use a rule we named "dovecot-unknownusers.conf" with Fail2Ban: failregex = ^%(__prefix_line)sauth-worker\(\d+\): (pam|sql)\(\S+,\): unknown user\s*$ "findtime" we set to 5400 (90 minutes) with "maxretry" set to 2. Works pretty well to block those pesty slow pace attacks.
Re: under another kind of attack
On Tue, Jul 25, 2017 at 04:37:23PM +0200, Olaf Hopp wrote: Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. Of course it will. You just need to set the "findtime" high enough. Personally, on my very quiet home server, I have findtime set to 7200 (2 hours) and maxretry set to 5, meaning that if a host fails to authenticate 5 times in two hours, they're banned (I have a fairly harsh ban time of a week, so that stops them coming back too soon). For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -- For more information, please reread. signature.asc Description: PGP signature
Re: under another kind of attack
Hi Olaf, Since we implemented country blocking, everything seems nicely under control, with only 'normal levels' of knocking. We first have impemented: http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip Then we did: https://github.com/firehol/blocklist-ipsets And finale iptables rules like these: iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP I tried to combine the various dports in one single rule, but that didn't seem to work. Perhaps someone here knows how to combine --match "geoip" and "multiport" in one single rule? Anyway: for us these combined measures did the tric. Users in one of the imap-blocked countries will have to use ActiveSync (works over https), the webmail-interface, or launch the VPN first. This works for us. Only one thing on my wishlist: application specific passwords. I would very much appreciate a respond on that thread... (posted yesterday evening, with a pseudo-dovecot-config file...) Hope the above helps you a bit, Olaf. MJ On 07/25/2017 04:37 PM, Olaf Hopp wrote: Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf
under another kind of attack
Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: failed to store into mailbox 'INBOX/Junk': Permission denied
I add a clarification: Now that I've commented out sieve Junk/Trash on "/etc/dovecot/conf.d/15-mailboxes.conf" mailbox Junk { special_use = \Junk } mailbox Trash { special_use = \Trash } remains a single account with permission issues, only one with write permissions controlled by the ACL plugin: plugin { acl = vfile:/etc/dovecot/dovecot-acl sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve-after sieve_dir = ~/sieve } Many thanks again!
Re: Core dumped when authenticating to managesieve
Op 24-7-2017 om 7:31 schreef Aki Tuomi: On 21.07.2017 16:19, Kristjan Eentsalu wrote: Hey, I'm getting "Error in MANAGESIEVE command received by server." and service(managesieve-login) killed with signal 11 (core dumped) when doing two line autenticate(sogo) to managesieve(). # telnet localhost 4190 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext editheader" "NOTIFY" "mailto" "SASL" "PLAIN" "VERSION" "1.0" OK "Dovecot ready." AUTHENTICATE "PLAIN" {52+} XX== NO "Error in MANAGESIEVE command received by server." AUTHENTICATE "PLAIN" {52+} < trying again Connection closed by foreign host. and after that in logs there is "dovecot: managesieve-login: Fatal: master: service(managesieve-login): child 38748 killed with signal 11 (core dumped)" One line autenticate works. # telnet localhost 4190 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext editheader" "NOTIFY" "mailto" "SASL" "PLAIN" "VERSION" "1.0" OK "Dovecot ready." AUTHENTICATE "PLAIN" "XX==" OK "Logged in." OS: FreeBSD 11.1-RC3 Dovecot 2.2.31 , pigeonhole 0.4.19 Trace below GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)... warning: core file may not match specified executable file. Core was generated by `dovecot/managesieve-login'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/local/lib/dovecot/libdovecot-login.so.0...done. Loaded symbols for /usr/local/lib/dovecot/libdovecot-login.so.0 Reading symbols from /usr/lib/libssl.so.8...done. Loaded symbols for /usr/lib/libssl.so.8 Reading symbols from /lib/libcrypto.so.8...done. Loaded symbols for /lib/libcrypto.so.8 Reading symbols from /usr/local/lib/dovecot/libdovecot.so.0...done. Loaded symbols for /usr/local/lib/dovecot/libdovecot.so.0 Reading symbols from /usr/lib/libkrb5.so.11...done. Loaded symbols for /usr/lib/libkrb5.so.11 Reading symbols from /usr/lib/libgssapi.so.10...done. Loaded symbols for /usr/lib/libgssapi.so.10 Reading symbols from /usr/lib/libgssapi_krb5.so.10...done. Loaded symbols for /usr/lib/libgssapi_krb5.so.10 Reading symbols from /lib/libc.so.7...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /usr/lib/libasn1.so.11...done. Loaded symbols for /usr/lib/libasn1.so.11 Reading symbols from /usr/lib/libcom_err.so.5...done. Loaded symbols for /usr/lib/libcom_err.so.5 Reading symbols from /lib/libcrypt.so.5...done. Loaded symbols for /lib/libcrypt.so.5 Reading symbols from /usr/lib/libhx509.so.11...done. Loaded symbols for /usr/lib/libhx509.so.11 Reading symbols from /usr/lib/libroken.so.11...done. Loaded symbols for /usr/lib/libroken.so.11 Reading symbols from /usr/lib/libwind.so.11...done. Loaded symbols for /usr/lib/libwind.so.11 Reading symbols from /usr/lib/libheimbase.so.11...done. Loaded symbols for /usr/lib/libheimbase.so.11 Reading symbols from /usr/lib/libprivateheimipcc.so.11...done. Loaded symbols for /usr/lib/libprivateheimipcc.so.11 Reading symbols from /lib/libthr.so.3...done. Loaded symbols for /lib/libthr.so.3 Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 #0 i_stream_seek (stream=0x0, v_offset=80) at istream.c:296 296 istream.c: No such file or directory. in istream.c (gdb) bt full #0 i_stream_seek (stream=0x0, v_offset=80) at istream.c:296 _stream = (struct istream_private *) 0x5385e16 #1 0x0536937a in i_stream_limit_read (stream=0x767d540) at istream-limit.c:34 lstream = (struct limit_istream *) 0x767d540 left = 123848760 ret = 1 pos = 119265200 #2 0x0535f340 in i_stream_read (stream=0x767d5b0) at istream.c:174 _stream = (struct istream_private *) 0x767d540 old_size = 0 ret = 124244864 #3 0x053607ae in i_stream_read_data (stream=0x767d5b0, data_r=0x7fffe868, size_r=0x7fffe878, threshold=0) at istream.c:569 ret = 0 read_more = false #4 0x004038d1 in ?? () No
Re: vacation problem with SRS
Op 20-7-2017 om 20:24 schreef Kacper Guzik: I have this version with FIXME /* FIXME: If From header of message has same address, we should use that * instead to properly include the phrase part. */ rfc2822_header_printf(msg, "To", "<%s>", reply_to); This should be work ok? Or You must change something? I need to address the FIXME. Will do that when I have time in the coming week. Regards, Stephan. 2017-07-20 15:51 GMT+02:00 Stephan Bosch: Op 20-7-2017 om 10:37 schreef Kacper Guzik: Hi i have similiar problem like here: http://www.iredmail.org/forum/topic11833-iredmail-support-vo cation-respone-unknown-user.html email send : from : web...@gmail.com to : ja...@mail.com vocation sent back from : ja...@mail.com to : srs0=hmc8=v7=gmail.com=web...@mail.com postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7= gmail.com=web...@mail.com this is no problem for me but sieve: Vacation's messages are always addressed to the Return-Path address it is possible some how change this ugly to header to normal? I can't find anything on dovecot mailing lists Hmm, I think this relates to this FIXME: https://github.com/dovecot/pigeonhole/blob/master/src/lib- sieve/plugins/vacation/cmd-vacation.c#L951 Looks like I've been just lazy. Should be relatively easy to fix. Regards, Stephan.
Re: SIEVE: handling of lineending in fields
Op 22-7-2017 om 18:02 schreef Ingo Thierack: Hello, migrated von the mailserver from centos to alpine linux. Most parts are run well. dovecot 2.2.31 sieve: 0.4.19 But i fight with on behavior. I have an sieve script which pipes a few fields to an external script which send this data to an telegram-bot. the part of the sieve-script. if header :matches "Subject" "*" { set "subject" "${1}"; } if header :matches "from" "*" { set "from" "${1}"; } if header :matches "to" "*" { set "to" "${1}"; } foreverypart { if header :mime :type :is "Content-Type" "text" { extracttext :first 30 "msgcontent"; break; } } pipe :copy :try "notify.sh" [ "", "(${from})#${to}#${subject}", "\"${msgcontent}\"" ]; What i get now is an error about looks like encoding of the linefeeds. default: line 107: error: specified :args item `"test 4??"' is invalid. Here is sent a mail which contains in subject "test 4". or default: line 107: error: specified :args item `"?? ?? ??? ??? Oracle Magazine "' is invalid. Here is sent a mail which contains in subject "test 4". On centos this was never an problem. With alpine-linux this process is complete broken. Any hints, where to look and maybee fix thie behavior? Mybe its ab problem with the libmusl which used in alpine. This is nothing new: https://github.com/dovecot/pigeonhole/blob/master/doc/rfc/spec-bosch-sieve-extprograms.txt#L149 https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/sieve-extprograms-common.c#L191 (code is at least 4 years old) I could add an option to allow newlines, but I am not sure that is a good idea per se. Regards, Stephan.
Re: failed to store into mailbox 'INBOX/Junk': Permission denied
For more clarity I also attach the content of "/etc/dovecot/conf.d/15-mailboxes.conf" # mailbox Junk { #special_use = \Junk # } # mailbox Trash { #special_use = \Trash # } mailbox INBOX/Junk { auto = subscribe special_use = \Junk } mailbox INBOX/Trash { auto = subscribe special_use = \Trash } Date: Mon, 24 Jul 2017 18:06:29 +0200 From: Christian KivaloPlease also provide your doveconf -n Here my Dovecot configuration (I've commented out "mailbox Junk" and "mailbox Trash" above) # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5 ext4 auth_mechanisms = plain login cram-md5 mail_location = maildir:/var/vmail/%d/%n/Maildir mail_plugins = acl managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox INBOX/Junk { auto = subscribe special_use = \Junk } mailbox INBOX/Trash { auto = subscribe special_use = \Trash } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/etc/dovecot/dovecot-acl sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve-after sieve_dir = ~/sieve } protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_dh_parameters_length = 2048 ssl_key =
Re: Latest Virtual Plugin changes seem to have broken flag changes: 2.2.devel (bf2fa36)
* Thomas Leuxner2017.07.24 14:41: > https://github.com/dovecot/core/commit/88b2ef52690acf66a925e2470331a9cc7c4cd320 It looks like it only partially fixes the problem. If messages get read in a virtual mailbox they sync to the "original" mailbox. Changes to the "original" mailbox only seem to sync when new mail arrives to this mailbox where the flags then get updated in the virtual mailbox. Thomas signature.asc Description: PGP signature