Re: function for whitelisting IPs
On 15/07/2021 20.03, Gerald Galster wrote: I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. You could do that with fail2ban. eg https://www.the-art-of-web.com/system/fail2ban-action-whitelist/ P.
Re: Sv: Sv: function for whitelisting IPs
You can get away with a lot for a personal server that wouldn't be acceptable for a general purpose email server such as the need to move the fence. In my case, I don't allow anything on the email server to be altered with a browser interface. It is either ssh or nothing. Browsers get more complicated as time goes on and security is inversely related to complexity. I use MUAs for all my email. Less is more. I totally get why 2FA is useful. But if you are practicing good security hygiene, the advantage is less than you think. All my passwords are 20 characters randomly generated and unique for everything, not just email. So there is no risk from password reuse. 2FA is really only useful if your personal devices have been breached and the plain text passwords are exposed. So to be totally effective the 2FA should come from a hardware device like a Ubikey or similar. What I have done is to use the 2FA with financial institutions. So I block the hackers where it matters. I can't stop attempts at my accounts being spoofed, but I can stop the hackers where is matters. Use DKIM and hope those getting your email check it. But if there was a friction free means of adding 2FA to email, I would do it. But it would have to be in the MUA and be supported by postfix and dovecot. The OTP code is done. I have played with FreeOTP and associated Linux program to recognize the token. (Name escapes me.) You just need everyone to agree on how to glue it all together. Original Message From: sebast...@sebbe.eu Sent: July 15, 2021 11:26 AM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: Sv: Sv: function for whitelisting IPs Yeah the idea was to use roundcube or other web service to add kind of "auth service" or "unlock service" where you can auth with 2FA to move the geofence or permit additional IPs in geofence. For example, if you are travelling or otherwise need to enable your account for a "outsider IP". This could be a simple webpage asking for username and 2FA code, and all it does it adds the IP to auth list. But could be a full roundcube or other webmail solution too, to give more usefullness to the web login solution if you don't have a imap/smtp client for now. I don't use 587 myself, but instead, I have set so auth is only permitted on port 25 for authorized IPs (auth_advertise_hosts in exim), thus the server will refuse to allow outsiders to authenticate. In combination with some other policies, my server is practically rock solid. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För lists Skickat: den 15 juli 2021 20:09 Till: 'Mailing List' Ämne: Re: Sv: function for whitelisting IPs I run a personal email server. I can't emphasize enough how geofencing has reduced the useless hacking on my email server. I only leave port 25 open to the world. I use port 587. I maintain a list of hosting companies that I block from using my web server since they are just going to scrape anyway. I also keep that IP space off of my email other than port 25. Firewalls use memory but tend to be very light on the CPU other than when you first start up the firewall. I assume they take the deny list and create a table in RAM to efficiently block IPs. I have found that dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden since that table needs to be refreshed as new IPs are added or removed so I have stopped using them. Not that the programs themselves are CPU intensive, but they cause the firewall to be CPU intensive. I am considering using sshguard again but with a very high threshold to add an IP to the deny list. Regarding attempts to add 2FA by using RoundCube or similar web based email, I think those programs just increase the attack surface. When I used a hosting service I was hacked by an unpatched exploit in RoundCube. Original Message From: sebast...@sebbe.eu Sent: July 15, 2021 3:55 AM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: Sv: function for whitelisting IPs Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List Ämne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? -Origi
Re: function for whitelisting IPs
> I run a personal email server. I can't emphasize enough how geofencing has > reduced the useless hacking on my email server. I only leave port 25 open to > the world. I use port 587. Unfortunately that's not an option for commercial mailservers. You have to be open to communicate with the world. Geofencing might be inaccurate. Often this data is extracted from ip-net registrations - the country where the company resides that registered that net might not be where the servers are located. There are services like maxmind that are more accurate but are not free. > Firewalls use memory but tend to be very light on the CPU other than when you > first start up the firewall. I assume they take the deny list and create a > table in RAM to efficiently block IPs. I have found that This depends on how your firewall works. A standard linux firewall processes iptables rules one after another. With a lot of rules and high traffic this can cause very high cpu usage. In case you're using ipsets (like a hashmap) that is not the case. There's also a difference if you block single ips or whole subnets. > dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden > since that table needs to be refreshed as new IPs are added or removed so I > have stopped using them. Not that the programs themselves are CPU intensive, > but they cause the firewall to be CPU intensive. I am considering using > sshguard again but with a very high threshold to add an IP to the deny list. It's not that cpu intensive when using ipsets. On the other hand fail2ban itself uses quite some cpu and memory (sqlite databases can get large). I haven't been using fail2ban because of that, so I don't know if the situation has improved. > Regarding attempts to add 2FA by using RoundCube or similar web based email, > I think those programs just increase the attack surface. When I used a > hosting service I was hacked by an unpatched exploit in RoundCube. Programs like fail2ban do not increase the attack surface under normal circumstances. They just scan logs and add firewall rules, which does not cost very much when using ipsets. I'm very interested which roundcube bug that was, using roundcube myself. Can you have a look at the cve list, please: https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html Best regards Gerald
Sv: Sv: function for whitelisting IPs
Yeah the idea was to use roundcube or other web service to add kind of "auth
service" or "unlock service" where you can auth with 2FA to move the geofence
or permit additional IPs in geofence. For example, if you are travelling or
otherwise need to enable your account for a "outsider IP".
This could be a simple webpage asking for username and 2FA code, and all it
does it adds the IP to auth list. But could be a full roundcube or other
webmail solution too, to give more usefullness to the web login solution if you
don't have a imap/smtp client for now.
I don't use 587 myself, but instead, I have set so auth is only permitted on
port 25 for authorized IPs (auth_advertise_hosts in exim), thus the server will
refuse to allow outsiders to authenticate.
In combination with some other policies, my server is practically rock solid.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org För lists
Skickat: den 15 juli 2021 20:09
Till: 'Mailing List'
Ämne: Re: Sv: function for whitelisting IPs
I run a personal email server. I can't emphasize enough how geofencing has
reduced the useless hacking on my email server. I only leave port 25 open to
the world. I use port 587.
I maintain a list of hosting companies that I block from using my web server
since they are just going to scrape anyway. I also keep that IP space off of my
email other than port 25.
Firewalls use memory but tend to be very light on the CPU other than when you
first start up the firewall. I assume they take the deny list and create a
table in RAM to efficiently block IPs. I have found that dynamic IP blocking
programs such as sshguard or fail2ban are a CPU burden since that table needs
to be refreshed as new IPs are added or removed so I have stopped using them.
Not that the programs themselves are CPU intensive, but they cause the firewall
to be CPU intensive. I am considering using sshguard again but with a very high
threshold to add an IP to the deny list.
Regarding attempts to add 2FA by using RoundCube or similar web based email, I
think those programs just increase the attack surface. When I used a hosting
service I was hacked by an unpatched exploit in RoundCube.
Original Message
From: sebast...@sebbe.eu
Sent: July 15, 2021 3:55 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Sv: function for whitelisting IPs
Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP as
input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.
Then you just need to write some custom functions in roundcube or similiar to
have the webmail insert the IP into a database.
Or just match it against a GeoIP database and save the latest country the
webmail was logged in from, and then SMTP/IMAP is only approved for that
country.
That reduces the attack surface greatly.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org För White,
Daniel E. (GSFC-770.0)[NICS]
Skickat: den 15 juli 2021 12:21
Till: Dovecot Mailing List
Ämne: function for whitelisting IPs
Sebastian,
Do you have any examples of such a function and how/where it is used ?
-Original Message-
From: dovecot on behalf of Sebastian
Reply-To: Dovecot Mailing List
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List'
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission
Main problem is that not many clients do natively support multifactor.
Some clients, do popup a login dialog if the server rejects the password as
invalid, which can be used to create a "cheaty variant" of multifactor, but
some clients just popup an error dialog and tell the user to just correct
password in settings.
Some clients even go as long as requiring the user to delete the account
with wrong password and set up a new connection.
So no, it cannot be relied upon.
I have a better idea:
Have a function for whitelisting IPs, possible /24's or similiar, where a
login to roundcube or other webmail client (with 2FA) will add the IP onto a
whitelist for that account.
Or perhaps, just "set" the country of the account based on GeoIP.
When an account tries to login via IMAP or SMTP, you just check if IP
and/or GeoIP country is right, and reject the login as invalid if so not.
The only thing a client needs to do to get his IMAP or SMTP client to work
again if it stops working, is to login once via the web client.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org För Alex
Skickat: den 15 juli 2021 02:10
Till: dovecot@dovecot.org
Ämne: 2FA/MFA with IMAP & postfix/submission
Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
IMAP4 accounts, as well as postfix users using submission. Clients are
using primarily Out
Re: Sv: function for whitelisting IPs
I have found that dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden since that table needs to be refreshed as new IPs are added or removed so I have stopped using them. Have you seen ipset? https://ipset.netfilter.org/ It is built for dynamically adding/remove IP's from a firewall without changing a table or rules or reloading the firewall. It holds a hashmap in memory of what IP's to block and integrates into the kernel. However you have to build your own mouse trap to use it. I don't know of anything out of the box that would automatically add IP's to it, i wrote my own script that gets fed log lines from rsyslog to do it.
Re: Sv: function for whitelisting IPs
I run a personal email server. I can't emphasize enough how geofencing has reduced the useless hacking on my email server. I only leave port 25 open to the world. I use port 587. I maintain a list of hosting companies that I block from using my web server since they are just going to scrape anyway. I also keep that IP space off of my email other than port 25. Firewalls use memory but tend to be very light on the CPU other than when you first start up the firewall. I assume they take the deny list and create a table in RAM to efficiently block IPs. I have found that dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden since that table needs to be refreshed as new IPs are added or removed so I have stopped using them. Not that the programs themselves are CPU intensive, but they cause the firewall to be CPU intensive. I am considering using sshguard again but with a very high threshold to add an IP to the deny list. Regarding attempts to add 2FA by using RoundCube or similar web based email, I think those programs just increase the attack surface. When I used a hosting service I was hacked by an unpatched exploit in RoundCube. Original Message From: sebast...@sebbe.eu Sent: July 15, 2021 3:55 AM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: Sv: function for whitelisting IPs Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List Ämne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Alex Skickat: den 15 juli 2021 02:10 Till: dovecot@dovecot.org Ämne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users.
Re: function for whitelisting IPs
> Do you have any examples of such a function and how/where it is used ? >I have a better idea: > Have a function for whitelisting IPs, possible /24's or similiar, where a > login to roundcube or other webmail client (with 2FA) will add the IP onto a > whitelist for that account. For some it might be sufficient to just return the allow_nets field: https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ Best regards Gerald
Re: [EXTERNAL] Sv: function for whitelisting IPs
On 15/07/2021 12:05, White, Daniel E. (GSFC-770.0)[NICS] wrote: The custom login script -- in Dovecot or Roundcube or … ? Is there any documentation for such scripting ? https://doc.dovecot.org/configuration_manual/authentication/auth_policy/ It uses an http interface so it is easy to implement with existing http toolkits. I wrote my own policy server in Java Jakarta EE9 because I can. You might prefer an existing policy server or write your own in your favourite http implementation language.
Re: [EXTERNAL] Sv: function for whitelisting IPs
The custom login script -- in Dovecot or Roundcube or … ?
Is there any documentation for such scripting ?
-Original Message-
From: dovecot on behalf of Sebastian
Reply-To: Dovecot Mailing List
Date: Thursday, July 15, 2021 at 06:56
To: 'Mailing List'
Subject: [EXTERNAL] Sv: function for whitelisting IPs
Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP
as input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.
Then you just need to write some custom functions in roundcube or similiar
to have the webmail insert the IP into a database.
Or just match it against a GeoIP database and save the latest country the
webmail was logged in from, and then SMTP/IMAP is only approved for that
country.
That reduces the attack surface greatly.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org För White,
Daniel E. (GSFC-770.0)[NICS]
Skickat: den 15 juli 2021 12:21
Till: Dovecot Mailing List
Ämne: function for whitelisting IPs
Sebastian,
Do you have any examples of such a function and how/where it is used ?
-Original Message-
From: dovecot on behalf of Sebastian
Reply-To: Dovecot Mailing List
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List'
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission
Main problem is that not many clients do natively support multifactor.
Some clients, do popup a login dialog if the server rejects the
password as invalid, which can be used to create a "cheaty variant" of
multifactor, but some clients just popup an error dialog and tell the user to
just correct password in settings.
Some clients even go as long as requiring the user to delete the
account with wrong password and set up a new connection.
So no, it cannot be relied upon.
I have a better idea:
Have a function for whitelisting IPs, possible /24's or similiar, where
a login to roundcube or other webmail client (with 2FA) will add the IP onto a
whitelist for that account.
Or perhaps, just "set" the country of the account based on GeoIP.
When an account tries to login via IMAP or SMTP, you just check if IP
and/or GeoIP country is right, and reject the login as invalid if so not.
The only thing a client needs to do to get his IMAP or SMTP client to
work again if it stops working, is to login once via the web client.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org För Alex
Skickat: den 15 juli 2021 02:10
Till: dovecot@dovecot.org
Ämne: 2FA/MFA with IMAP & postfix/submission
Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
IMAP4 accounts, as well as postfix users using submission. Clients are
using primarily Outlook on Windows and old squirrelmail.
Are there multi-factor options available?
If it is not available, do you have any recommendations on where I
should look to do this?
All of the links related to this topic appear to be very old, or
limited to Linux PAM users.
Sv: function for whitelisting IPs
Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List Ämne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Alex Skickat: den 15 juli 2021 02:10 Till: dovecot@dovecot.org Ämne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users. smime.p7s Description: S/MIME Cryptographic Signature
function for whitelisting IPs
Sebastian, Do you have any examples of such a function and how/where it is used ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Alex Skickat: den 15 juli 2021 02:10 Till: dovecot@dovecot.org Ämne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users.
