Re: under another kind of attack

[Michael Starks]

On 2017-07-25 09:37, Olaf Hopp wrote:
But the rate at which they

are knocking
is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212):
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047):
pam(gergei,101.231.247.210,): pam_authenticate()
failed: Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379):
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
pam(endsulei,101.231.247.210,): unknown user


OSSEC has at least two ways of stopping these:

1. Repeat offenders option: this keeps track of the IP and increases the 
block time if they come back (within a defined timeframe).
2. You can simply overwrite the rule looking for repeated attempts from 
the same IP and increase the timeframe option to hours instead of 
minutes.




Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276):
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276):
pam(endsulei,222.243.211.200,): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745):
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747):
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933):
pam(endsulei,206.214.0.120,): unknown user

Also note the timestamps!


In this case, it looks like it's coming from several different IPs. If 
the IPs are in geographic regions which should never have a need to log 
in, you can deny them preemptively in rules.


You can also simply look for any attempt to authenticate to an unknown 
user and block that. It would be interesting to try to figure out a way 
to look for deviations from the normal naming convention, or perhaps try 
to identify something that looks random.


There are other options, as well. You can set up a CDB list with known 
bad IPs and populate them from threat lists of your choice.


All around, I think you'll find it much more capable and robust than 
fail2ban.


Disclaimer: I wrote the OSSEC Dovecot ruleset several years ago. I don't 
know if it is current (but I think it is being maintained).

Re: under another kind of attack

[Joseph Tam]

Olaf Hopp  writes:


I have dovecot shielded by fail2ban which works fine.  But since a few
days I see many many IPs per day knocking on my doors with wron
password and/or users.  But the rate at which they are knocking is very
very low.  So fail2ban will never catch them.


Slow roll distributed attacks.  Really hard to stop.


And I see many many distinct IPs per day (a few hundred) trying many
many existing and non-existings accounts.  As you see in the timestamps
in my examples, this can not be handled by fail2ban without affecting
regular users with typos.  Is anybody observing something similar ?


All the time, and to many services.  If you need to be fault tolerant,
you'll either have to set tolerant limits (allow reasonable number of
failures), or timeout features.  You could also track successful
logins as whitelisting entries for future logins.


Anybody an idea against this ? Many of these observed IPs are chinese
mobile IPs, if this matters.  But we have also chinese students and
researchers all abroad.


Nearly an intractable problem, especially since your users are embedded
in a notoriously infested network (as someone quipped, "like picking
marshmallows out from a pile of sh*t").

Some ideas:

- pre-emption (using third party RBLs that targets BFD)
- immediate blacklisting of known bad users/passwords
(e.g. "admin", "support", extinct users, etc.)
- persistent tracking storage: tracking in SQL, or
or large LRU list that can reach far enough back
in time.

(I think Aki mentioned weakforced which you can use instead if fail2ban
to implement some of these things.)

There are other solutions like alternate ports, port knocking, certificate
authentication, or VPN, but they are hard/impossible to do with a large
userbase, or have high setup/amortization costs.

If you have a enforced strong password policy, these brute forcers have
little chance of succeeding, so maybe the easiest cheapest policy is to
ignore it.

Joseph Tam 

Re: under another kind of attack

[Joseph Tam]

"mourik jan c heupink"  writes:


On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own 
backend by taking over

authentication.  You'll be accepting user/password inputs into your
checkpassword executable, then use the LDAP API (or some other system...snip
and source address, which will be adversely affect performance on a
busy server as authentication data cannot be cached.


While this sounds awesome, it can do much more than what I was/am after, and 
appears lot more complicated to setup than what I had figured myself.

Shouldn't I be able to do something like this:

passdb {
 driver = passwd-file
 # application specific passwd-file should work from anywhere
 # (so: no allow_nets)
 args = /etc/dovecot/dovecot-application-specific
}
passdb {
 # only allowed to use this from within local 192.168.1.0/24
 args = /etc/dovecot/dovecot-ldap.conf.ext allow_nets=192.168.1.0/24
 driver = ldap
}


Yes, that would take care of *one* of the items on your wishlist
(network specific passwords).  You also wanted time specific passwords.
And intelligent brute force detection.  And blacklist lookups.

Rather than cobbling together fail2ban, utility scripts, multiple passdbs,
firewall rules and whatever other system you'll need to recruit, I'm
suggesting you amortize the effort and pack it into one place, then you
can extend this to incorporate whatever your heart desires.

The complexity of implementing this reflects the complexity of your
requirements.  If you only had generic authentication needs, then the
dovecot supplied facilities would be perfect.  But you don't.


Where I would generate lines in dovecot-application-specific using a
script or some webpage, and generate lines like:

username1:randomONE:vmail:vmail::/var/vmail/username1:
username1:randomTWO:vmail:vmail::/var/vmail/username1:
username2:randomTHREE:vmail:vmail::/var/vmail/username2:
username2:randomFOUR:vmail:vmail::/var/vmail/username2:

And the result would be: username1 can login from anywhere, using
passwords "randomONE" & "randomTWO", plus the password in ldap when
coming from the internal network.


You'll probably need 3 passdb, LDAP and 2 fallback passwd-file dbs.

Joseph Tam 

Re: under another kind of attack

[Robert Schetterer]

Am 25.07.2017 um 16:54 schrieb mj:
> Hi Olaf,
> 
> Since we implemented country blocking, everything seems nicely under
> control, with only 'normal levels' of knocking.
> 
> We first have impemented:
> http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip
> 
> 
> Then we did:
> https://github.com/firehol/blocklist-ipsets

simply geoip blocking may work at your site
but it does not work for many other cases

> 
> And finale iptables rules like these:
> 
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP
>>
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP
>>
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc
>> MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
>> iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP
> 
> I tried to combine the various dports in one single rule, but that
> didn't seem to work. Perhaps someone here knows how to combine --match
> "geoip" and "multiport" in one single rule?
> 
> Anyway: for us these combined measures did the tric.
> 
> Users in one of the imap-blocked countries will have to use ActiveSync
> (works over https), the webmail-interface, or launch the VPN first.
> 
> This works for us.
> 
> Only one thing on my wishlist: application specific passwords. I would
> very much appreciate a respond on that thread... (posted yesterday
> evening, with a pseudo-dovecot-config file...)
> 
> Hope the above helps you a bit, Olaf.
> 
> MJ
> 
> On 07/25/2017 04:37 PM, Olaf Hopp wrote:
>> Hi folks,
>>
>> "somehow" similar to the thread "under some kind oof attack" started
>> by "MJ":
>>
>> I have dovecot shielded by fail2ban which works fine.
>> But since a few days I see many many IPs per day knocking on
>> my doors with wron password and/or users. But the rate at which they
>> are knocking
>> is very very low. So fail2ban will never catch them.
>>
>> For example one IP:
>>
>> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212):
>> pam(eurodisc,101.231.247.210,): unknown user
>> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047):
>> pam(gergei,101.231.247.210,): pam_authenticate()
>> failed: Authentication failure (password mismatch?)
>> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379):
>> pam(icpe,101.231.247.210,): unknown user
>> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
>> pam(endsulei,101.231.247.210,): unknown user
>>
>> Note the timestamps.
>> If I look the other way round (tries to one account) I'll get
>>
>> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276):
>> pam(endsulei,60.166.12.117,): unknown user
>> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276):
>> pam(endsulei,222.243.211.200,): unknown user
>> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745):
>> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
>> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747):
>> pam(endsulei,222.84.118.83,): unknown user
>> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
>> pam(endsulei,101.231.247.210,): unknown user
>> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933):
>> pam(endsulei,206.214.0.120,): unknown user
>>
>> Also note the timestamps!
>>
>> And I see many many distinct IPs per day (a few hundred) trying many
>> many existing and non-existings accounts.
>> As you see in the timestamps in my examples, this can not be handled
>> by fail2ban without affecting
>> regular users with typos.
>> Is anybody observing something similar ?
>> Anybody an idea against this ?
>> Many of these observed IPs are chinese mobile IPs, if this matters.
>> But we have also chinese students and
>> researchers all abroad.
>>
>>
>> Regards,
>> Olaf
>>



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: under another kind of attack

[Robert Schetterer]

Am 25.07.2017 um 16:37 schrieb Olaf Hopp:
> Hi folks,
> 
> "somehow" similar to the thread "under some kind oof attack" started by
> "MJ":
> 
> I have dovecot shielded by fail2ban which works fine.
> But since a few days I see many many IPs per day knocking on
> my doors with wron password and/or users. But the rate at which they are
> knocking
> is very very low. So fail2ban will never catch them.
> 
> For example one IP:
> 
> Jul 25 14:03:17 irams1 dovecot: auth-worker(2212):
> pam(eurodisc,101.231.247.210,): unknown user
> Jul 25 15:16:36 irams1 dovecot: auth-worker(11047):
> pam(gergei,101.231.247.210,): pam_authenticate()
> failed: Authentication failure (password mismatch?)
> Jul 25 16:08:51 irams1 dovecot: auth-worker(3379):
> pam(icpe,101.231.247.210,): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
> pam(endsulei,101.231.247.210,): unknown user
> 
> Note the timestamps.
> If I look the other way round (tries to one account) I'll get
> 
> Jul 25 01:30:48 irams1 dovecot: auth-worker(11276):
> pam(endsulei,60.166.12.117,): unknown user
> Jul 25 01:31:26 irams1 dovecot: auth-worker(11276):
> pam(endsulei,222.243.211.200,): unknown user
> Jul 25 13:29:22 irams1 dovecot: auth-worker(4745):
> pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
> Jul 25 13:30:27 irams1 dovecot: auth-worker(4747):
> pam(endsulei,222.84.118.83,): unknown user
> Jul 25 16:10:47 irams1 dovecot: auth-worker(4250):
> pam(endsulei,101.231.247.210,): unknown user
> Jul 25 16:11:45 irams1 dovecot: auth-worker(5933):
> pam(endsulei,206.214.0.120,): unknown user
> 
> Also note the timestamps!
> 
> And I see many many distinct IPs per day (a few hundred) trying many
> many existing and non-existings accounts.
> As you see in the timestamps in my examples, this can not be handled by
> fail2ban without affecting
> regular users with typos.
> Is anybody observing something similar ?


all the time ,since years, in my case its
always schema user xyz.abc
in my case all username without @ could be dropped at once
a regex deny should be fine, but i havent implemented/thinked of  it cause
it comming in small waves and mostly fail2ban stops it soon



> Anybody an idea against this ?
> Many of these observed IPs are chinese mobile IPs, if this matters. But
> we have also chinese students and
> researchers all abroad.
> 
> 
> Regards,
> Olaf
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SIEVE: handling of lineending in fields

[Ingo Thierack]

On 25.07.2017 13:54, Stephan Bosch wrote:
>
>
> Op 22-7-2017 om 18:02 schreef Ingo Thierack:
>> Hello,
>>
>> migrated von the mailserver from centos to alpine linux. Most parts are
>> run well.
>>
>> dovecot 2.2.31
>> sieve: 0.4.19
>>
>> But i fight with on behavior.
>>
>> I have an sieve script which pipes a few fields to an external script
>> which send this data to an telegram-bot.
>>
>> the part of the sieve-script.
>>
>> if header :matches "Subject" "*" {
>>  set "subject" "${1}";
>> }
>> if header :matches "from" "*" {
>>  set "from" "${1}";
>> }
>> if header :matches "to" "*" {
>>  set "to" "${1}";
>> }
>>
>> foreverypart
>> {
>>  if header :mime :type :is "Content-Type" "text"
>>  {
>>   extracttext :first 30 "msgcontent";
>>   break;
>>  }
>> }
>>
>> pipe :copy :try "notify.sh" [ "", "(${from})#${to}#${subject}",
>> "\"${msgcontent}\"" ];
>>
>> What i get now is an error about looks like encoding of the linefeeds.
>>
>> default: line 107: error: specified :args item `"test 4??"' is invalid.
>>
>> Here is sent a mail which contains in subject "test 4".
>>
>> or
>> default: line 107: error: specified :args item `"?? ?? ??? ??? Oracle
>> Magazine "' is invalid.
>>
>> Here is sent a mail which contains in subject "test 4".
>>
>> On centos this was never an problem. With alpine-linux this process is
>> complete broken.
>>
>> Any hints, where to look and maybee fix thie behavior? Mybe its ab
>> problem with the libmusl which used in alpine.
>
> This is nothing new:
>
> https://github.com/dovecot/pigeonhole/blob/master/doc/rfc/spec-bosch-sieve-extprograms.txt#L149
>
> https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/sieve-extprograms-common.c#L191
> (code is at least 4 years old)
>
> I could add an option to allow newlines, but I am not sure that is a
> good idea per se.
>
> Regards,
>
> Stephan.

What kind of problems are expected, if CR and LF are allowed? Maybe
there are other control chars which are also problematic. Think every
char below 0x20 could be. Should not be in a normal mail, but who knows

As of now, I have the code part, I'll try to create for my
installation/package a patch, which allows CR/LF, or if i see here an
problem replace it by an space.

So no general change necessary i think.


Regards,

Ingo






signature.asc
Description: OpenPGP digital signature

Re: last_logon SQL mapping

[Aki Tuomi]

> On July 22, 2017 at 4:42 PM viper  wrote:
> 
> 
> Hi
> 
> I have been attempting to do a mapping on the last_logon plugin. I have 
> been reading the documentation on mapping. is there any way to customise 
> a little more and create a individual SQL query for each of the 
> functions SELECT and UPDATE, my current SQL setup has the username and 
> domain in separate tables and my user_query and password_query are 
> concat which I do not believe can be defined in the dictionary map 
> process, I was also wanting to use datatime as the saved field but it 
> seems only the unix timestamp is used. If there is any way to create a 
> fully custom query that can be executed I believe this would allow me to 
> preform the action am looking for in the same manner as the user_query 
> and password_query
> 
> If anyone has any suggestions please let me know
> 
> Regards
> 
> Craig

Hi!

The last_login plugin uses dict interface to update the last login values, so 
custom SQL is not feasible to do. In your case it's probably best to use 
postlogin script instead, although it will make last login information less 
accurate.

Aki

last_logon SQL mapping

[viper]

Hi

I have been attempting to do a mapping on the last_logon plugin. I have 
been reading the documentation on mapping. is there any way to customise 
a little more and create a individual SQL query for each of the 
functions SELECT and UPDATE, my current SQL setup has the username and 
domain in separate tables and my user_query and password_query are 
concat which I do not believe can be defined in the dictionary map 
process, I was also wanting to use datatime as the saved field but it 
seems only the unix timestamp is used. If there is any way to create a 
fully custom query that can be executed I believe this would allow me to 
preform the action am looking for in the same manner as the user_query 
and password_query


If anyone has any suggestions please let me know

Regards

Craig

Re: under another kind of attack

[Tamsy]

Olaf Hopp wrote on 25.07.2017 16:37:

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started 
by "MJ":


I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they 
are knocking

is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,): pam_authenticate() 
failed: Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user


Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,): unknown user


Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many 
many existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled 
by fail2ban without affecting

regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?
Many of these observed IPs are chinese mobile IPs, if this matters. 
But we have also chinese students and

researchers all abroad.


Regards,
Olaf



For those "unknown user" attacks on Dovecot we use a rule we named 
"dovecot-unknownusers.conf" with Fail2Ban:



failregex = ^%(__prefix_line)sauth-worker\(\d+\): 
(pam|sql)\(\S+,\): unknown user\s*$



"findtime" we set to 5400 (90 minutes) with "maxretry" set to 2.

Works pretty well to block those pesty slow pace attacks.

Re: under another kind of attack

[Darac Marjal]

On Tue, Jul 25, 2017 at 04:37:23PM +0200, Olaf Hopp wrote:

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started by "MJ":

I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are 
knocking
is very very low. So fail2ban will never catch them.


Of course it will. You just need to set the "findtime" high enough.
Personally, on my very quiet home server, I have findtime set to 7200 (2
hours) and maxretry set to 5, meaning that if a host fails to
authenticate 5 times in two hours, they're banned (I have a fairly harsh
ban time of a week, so that stops them coming back too soon).



For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,): pam_authenticate() failed: 
Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user

Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,): unknown user

Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many many 
existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled by 
fail2ban without affecting
regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?
Many of these observed IPs are chinese mobile IPs, if this matters. But we have 
also chinese students and
researchers all abroad.


Regards,
Olaf

--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.






--
For more information, please reread.


signature.asc
Description: PGP signature

Re: under another kind of attack

[mj]

Hi Olaf,

Since we implemented country blocking, everything seems nicely under 
control, with only 'normal levels' of knocking.


We first have impemented:
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip

Then we did:
https://github.com/firehol/blocklist-ipsets

And finale iptables rules like these:


iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP


I tried to combine the various dports in one single rule, but that 
didn't seem to work. Perhaps someone here knows how to combine --match 
"geoip" and "multiport" in one single rule?


Anyway: for us these combined measures did the tric.

Users in one of the imap-blocked countries will have to use ActiveSync 
(works over https), the webmail-interface, or launch the VPN first.


This works for us.

Only one thing on my wishlist: application specific passwords. I would 
very much appreciate a respond on that thread... (posted yesterday 
evening, with a pseudo-dovecot-config file...)


Hope the above helps you a bit, Olaf.

MJ

On 07/25/2017 04:37 PM, Olaf Hopp wrote:

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started by 
"MJ":


I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are 
knocking

is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,): pam_authenticate() 
failed: Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user


Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,): unknown user


Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many 
many existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled by 
fail2ban without affecting

regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?
Many of these observed IPs are chinese mobile IPs, if this matters. But 
we have also chinese students and

researchers all abroad.


Regards,
Olaf

under another kind of attack

[Olaf Hopp]

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started by "MJ":

I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are 
knocking
is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,): pam_authenticate() failed: 
Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user

Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,): unknown user

Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many many 
existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled by 
fail2ban without affecting
regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?
Many of these observed IPs are chinese mobile IPs, if this matters. But we have 
also chinese students and
researchers all abroad.


Regards,
Olaf

--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: failed to store into mailbox 'INBOX/Junk': Permission denied

[Davide Marchi]

I add a clarification:

Now that I've commented out sieve Junk/Trash on 
"/etc/dovecot/conf.d/15-mailboxes.conf"



  mailbox Junk
{ special_use = \Junk
  }
  mailbox Trash
{ special_use = \Trash
  }



remains a single account with permission issues, only one with write 
permissions controlled by the ACL plugin:




   plugin {
 acl = vfile:/etc/dovecot/dovecot-acl
 sieve = ~/.dovecot.sieve
 sieve_after = /etc/dovecot/sieve-after
 sieve_dir = ~/sieve
   }



Many thanks again!

Re: Core dumped when authenticating to managesieve

[Stephan Bosch]

Op 24-7-2017 om 7:31 schreef Aki Tuomi:


On 21.07.2017 16:19, Kristjan Eentsalu wrote:

Hey,

I'm getting "Error in MANAGESIEVE command received by server." and
  service(managesieve-login) killed with signal 11 (core dumped)  when doing
two line autenticate(sogo) to managesieve().

# telnet localhost 4190
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext editheader"
"NOTIFY" "mailto"
"SASL" "PLAIN"
"VERSION" "1.0"
OK "Dovecot ready."
AUTHENTICATE "PLAIN" {52+}
XX==
NO "Error in MANAGESIEVE command received by server."
AUTHENTICATE "PLAIN" {52+}  < trying again
Connection closed by foreign host.

and after that in logs there is "dovecot: managesieve-login: Fatal: master:
service(managesieve-login): child 38748 killed with signal 11 (core dumped)"


One line autenticate works.

# telnet localhost 4190
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext editheader"
"NOTIFY" "mailto"
"SASL" "PLAIN"
"VERSION" "1.0"
OK "Dovecot ready."
AUTHENTICATE "PLAIN" "XX=="
OK "Logged in."


OS: FreeBSD 11.1-RC3
Dovecot 2.2.31 , pigeonhole 0.4.19

Trace below

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols
found)...

warning: core file may not match specified executable file.
Core was generated by `dovecot/managesieve-login'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/dovecot/libdovecot-login.so.0...done.
Loaded symbols for /usr/local/lib/dovecot/libdovecot-login.so.0
Reading symbols from /usr/lib/libssl.so.8...done.
Loaded symbols for /usr/lib/libssl.so.8
Reading symbols from /lib/libcrypto.so.8...done.
Loaded symbols for /lib/libcrypto.so.8
Reading symbols from /usr/local/lib/dovecot/libdovecot.so.0...done.
Loaded symbols for /usr/local/lib/dovecot/libdovecot.so.0
Reading symbols from /usr/lib/libkrb5.so.11...done.
Loaded symbols for /usr/lib/libkrb5.so.11
Reading symbols from /usr/lib/libgssapi.so.10...done.
Loaded symbols for /usr/lib/libgssapi.so.10
Reading symbols from /usr/lib/libgssapi_krb5.so.10...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.10
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/lib/libasn1.so.11...done.
Loaded symbols for /usr/lib/libasn1.so.11
Reading symbols from /usr/lib/libcom_err.so.5...done.
Loaded symbols for /usr/lib/libcom_err.so.5
Reading symbols from /lib/libcrypt.so.5...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/lib/libhx509.so.11...done.
Loaded symbols for /usr/lib/libhx509.so.11
Reading symbols from /usr/lib/libroken.so.11...done.
Loaded symbols for /usr/lib/libroken.so.11
Reading symbols from /usr/lib/libwind.so.11...done.
Loaded symbols for /usr/lib/libwind.so.11
Reading symbols from /usr/lib/libheimbase.so.11...done.
Loaded symbols for /usr/lib/libheimbase.so.11
Reading symbols from /usr/lib/libprivateheimipcc.so.11...done.
Loaded symbols for /usr/lib/libprivateheimipcc.so.11
Reading symbols from /lib/libthr.so.3...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  i_stream_seek (stream=0x0, v_offset=80) at istream.c:296
296 istream.c: No such file or directory.
 in istream.c
(gdb) bt full
#0  i_stream_seek (stream=0x0, v_offset=80) at istream.c:296
 _stream = (struct istream_private *) 0x5385e16
#1  0x0536937a in i_stream_limit_read (stream=0x767d540) at
istream-limit.c:34
 lstream = (struct limit_istream *) 0x767d540
 left = 123848760
 ret = 1
 pos = 119265200
#2  0x0535f340 in i_stream_read (stream=0x767d5b0) at istream.c:174
 _stream = (struct istream_private *) 0x767d540
 old_size = 0
 ret = 124244864
#3  0x053607ae in i_stream_read_data (stream=0x767d5b0,
data_r=0x7fffe868, size_r=0x7fffe878, threshold=0) at istream.c:569
 ret = 0
 read_more = false
#4  0x004038d1 in ?? ()
No 

Re: vacation problem with SRS

[Stephan Bosch]

Op 20-7-2017 om 20:24 schreef Kacper Guzik:

I have this version with FIXME


 /* FIXME: If From header of message has same address, we should use
that

  * instead to properly include the phrase part.

  */

 rfc2822_header_printf(msg, "To", "<%s>", reply_to);



This should be work ok? Or You must change something?


I need to address the FIXME. Will do that when I have time in the coming 
week.


Regards,

Stephan.


2017-07-20 15:51 GMT+02:00 Stephan Bosch :



Op 20-7-2017 om 10:37 schreef Kacper Guzik:

Hi i have similiar problem like here:

http://www.iredmail.org/forum/topic11833-iredmail-support-vo
cation-respone-unknown-user.html


email send :
from : web...@gmail.com
to : ja...@mail.com

vocation sent back
from : ja...@mail.com
to : srs0=hmc8=v7=gmail.com=web...@mail.com



postsrsd changing return-path from web...@gmail.com to srs0=hmc8=v7=
gmail.com=web...@mail.com

this is no problem for me but  sieve:

Vacation's messages are always addressed to the Return-Path address

it is possible some how change this ugly to header to normal?

I can't find anything on dovecot mailing lists


Hmm,

I think this relates to this FIXME:

https://github.com/dovecot/pigeonhole/blob/master/src/lib-
sieve/plugins/vacation/cmd-vacation.c#L951

Looks like I've been just lazy. Should be relatively easy to fix.

Regards,

Stephan.

Re: SIEVE: handling of lineending in fields

[Stephan Bosch]

Op 22-7-2017 om 18:02 schreef Ingo Thierack:

Hello,

migrated von the mailserver from centos to alpine linux. Most parts are
run well.

dovecot 2.2.31
sieve: 0.4.19

But i fight with on behavior.

I have an sieve script which pipes a few fields to an external script
which send this data to an telegram-bot.

the part of the sieve-script.

if header :matches "Subject" "*" {
 set "subject" "${1}";
}
if header :matches "from" "*" {
 set "from" "${1}";
}
if header :matches "to" "*" {
 set "to" "${1}";
}

foreverypart
{
 if header :mime :type :is "Content-Type" "text"
 {
  extracttext :first 30 "msgcontent";
  break;
 }
}

pipe :copy :try "notify.sh" [ "", "(${from})#${to}#${subject}",
"\"${msgcontent}\"" ];

What i get now is an error about looks like encoding of the linefeeds.

default: line 107: error: specified :args item `"test 4??"' is invalid.

Here is sent a mail which contains in subject "test 4".

or
default: line 107: error: specified :args item `"?? ?? ??? ??? Oracle
Magazine "' is invalid.

Here is sent a mail which contains in subject "test 4".

On centos this was never an problem. With alpine-linux this process is
complete broken.

Any hints, where to look and maybee fix thie behavior? Mybe its ab
problem with the libmusl which used in alpine.


This is nothing new:

https://github.com/dovecot/pigeonhole/blob/master/doc/rfc/spec-bosch-sieve-extprograms.txt#L149
https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/sieve-extprograms-common.c#L191 
(code is at least 4 years old)


I could add an option to allow newlines, but I am not sure that is a 
good idea per se.


Regards,

Stephan.

Re: failed to store into mailbox 'INBOX/Junk': Permission denied

[Davide Marchi]

For more clarity I also attach the content of
"/etc/dovecot/conf.d/15-mailboxes.conf"


#  mailbox Junk {
#special_use = \Junk
#  }
#  mailbox Trash {
#special_use = \Trash
#  }
  mailbox INBOX/Junk {
  auto = subscribe
  special_use = \Junk
  }
  mailbox INBOX/Trash {
  auto = subscribe
  special_use = \Trash
  }




  Date: Mon, 24 Jul 2017 18:06:29 +0200
  From: Christian Kivalo 

  Please also provide your doveconf -n


Here my Dovecot configuration (I've commented out "mailbox Junk" and 
"mailbox Trash" above)


# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5 ext4
auth_mechanisms = plain login cram-md5
mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_plugins = acl
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox INBOX/Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox INBOX/Trash {
auto = subscribe
special_use = \Trash
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  sieve = ~/.dovecot.sieve
  sieve_after = /etc/dovecot/sieve-after
  sieve_dir = ~/sieve
}
protocols = " imap lmtp sieve pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl_cert = ssl_cipher_list = 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_dh_parameters_length = 2048
ssl_key = 

Re: Latest Virtual Plugin changes seem to have broken flag changes: 2.2.devel (bf2fa36)

[Thomas Leuxner]

* Thomas Leuxner  2017.07.24 14:41:

> https://github.com/dovecot/core/commit/88b2ef52690acf66a925e2470331a9cc7c4cd320

It looks like it only partially fixes the problem. If messages get read in a 
virtual mailbox they sync to the "original" mailbox. Changes to the "original" 
mailbox only seem to sync when new mail arrives to this mailbox where the flags 
then get updated in the virtual mailbox.

Thomas


signature.asc
Description: PGP signature