Re: [mailop] Roundcube client IPs → dovecot, postfix

[Noel Butler via mailop]

Happy New Year!

now for bad news, i'm back :)

On 30/12/2021 13:05, Mark Foster via mailop wrote:


On 29/12/2021 11:48 pm, Noel Butler via mailop wrote:

Mark, you do realise, that information *is already there* in the 
header, well, for network operators it is, as its encrypted but 
roundcube has a tool for them to decrypt it, but you want them to put 
it plain text? when google and the like never will, wont win any fans 
with that request :)


Maybe I need to be clear that I both use Roundcube, and operate it on a 
private MTA. I havn't seen how my HTTP(S) IP address was encoded in any 
emails i've sent using Roundcube, even as the operator of that 
platform.


Perhaps I missed something.


I'm using RC now, have a look, the first received line, all that 
jibberish, is my actual hostname and IP


Sure, but you are not exposing it to all and sundry are you, you are 
exposing it to those with authority to see it, webmasters, newsmasters, 
irc opers, facebook, google, microsoft admins, and so on, your not 
exposing it for say, me, or your neighbours to look at - unless you 
using our services lol.


If I send someone an email, I expect my email address to be presented as 
the sender. However it's relatively easy to forge these and very 
inexpensive to create a large number of disposable email addresses. 
There's such a large number of operators that full transparency is not 
available, and the headers failing to provide a link to the last-mile 
network provider just adds to the anonymity.  And when we're guaranteed 
anonymity, we know that people will take advantage for negative effect.


But your email address is not the same as your IP address which is not 
the same as a residential address


As for your 'authority to see it' comment... if I typo a web address in 
my browser, that's on me, but i'm giving my IP away to the person who 
operates the DNS server and webserver. Anyone can do this, so a 
malicious


What is it with some people and believing that all ISPS perform DNS 
logging, do ISP's in your country really log every DNS request? Then 
your best using tails if you're that paranoid about it, or a VPN. I mean 
 most people on this list are from USA, not all like yours truly, but 
most, I really dont see every USA ISP logging DNS requests of all of its 
users, it is one reason why I'm outspoken against DoH, sending all your  
DNS requests to cloudfare, centralising the internet.


If you use an SMTP mail client your home IP is given away. Plenty of 
webmail services log an HTTP(S) Received: line . I guess i'd just 
expect Roundcube to do the same.


as above, it does

What purpose will it serve for the victim to know the IP of the person 
causing them harm?


If the only info you have is the mail service provider, and that mail 
service provider is a huge, freemail operator, noone is going to expect 
any real consequence to come out of reporting abusive activities.  The 
ISP is the party who's going to (more likely) have an actual commercial 
relationship with the malicious party.  Onceuponatime these may have 
been the same parties, but no longer, ... if i'm reporting nefarious 
behavior I'd want to get as close to the actual offender as possible, 
an anonymously-signed-up-to freemail service is not going to care too 
much... they might block the account, there'll be ten more signed up in 
as many minutes, rinse and repeat.


There is always accountability, just it might be a slower process in 
some cases.


Most ISPs have a similar AUP, which also aligns with most freemailers - 
I'm no fan of them, but they are not the topic of this discussion which 
is roundcube, which is hardly used by freemail providers, so any problem 
you have with a RC user, is likely the actual ISP/Hosting provider where 
there is a contractual agreement, so again I see no problem that needs 
solving


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[John Capo via mailop]

On 2021-12-30 11:00, Nicolas JEAN via mailop wrote:

Il 29/12/2021 07:05, Slavko via mailop ha scritto:


I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be
empty
(at least i hope), and client's IP will be blocked by fail2ban soon
or
latter. Or i am wrong?


From my understanding and tests, the first IMAP login attempt
forwarded to dovecot is the actual login to roundcube.
Therefore all later IMAP connections happen if and only if the first
one was successful (legitimate user, or breach -- password found by
attacker).

So I really want dovecot to know the originating IP for the first
login attempt.
Because brute-force and other attacks are going to fail at the
roundcube login phase... until they've tried enough times to guess
user passwords.

In order to stop attackers from guessing passwords on roundcube, I
need dovecot to know the originating IPs at roundcube login phase.
Then when some IP has failed X times to log in to roundcube, dovecot
will block it.

Why not just fail2ban roundcube plugin?

Brute-force protection can also be achieved by fail2ban, as mentioned
by others.
But there are scenarios of attackers trying to evade brute-force
detection by making password guesses only once in a while, e.g. every
30 minutes in my experience, from many IPs (botnet). See for example
this story [1].


Current strategy is for the bot farms to spread out the requests quite a 
bit, 5268 in the case below.


   Blocking t=28800 r=1 b=11 p=3 u=2 l=1 [ablk] [Aa123456] 3,1 attempts 
in 5268,0 seconds 87.87.1.230/32 0


I look back 24 hours for the same IP address trying multiple username 
and multiple passwords.


   p=3 u=2

Works well.

   Pending: 1292, Blocked: 2067



In such cases of fail2ban bypassing, having a second banning mechanism
can bring additional security, or peace of mind -- at least it does
for me.

Cheers,
Nico


Links:
--
[1] 
https://security.stackexchange.com/questions/174405/someone-is-trying-to-brute-force-my-private-mail-server-very-slowly

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Slavko via mailop]

Ahoj,

Dňa Thu, 30 Dec 2021 17:00:57 +0100 Nicolas JEAN via mailop
 napísal:

> So I really want dovecot to know the originating IP for the _first_ 
> login attempt.

I tried the proposed patch and it works, that mean the remote ip is set
from first (login) request. That is indeed best solution.

> Brute-force protection can also be achieved by fail2ban, as mentioned
> by others.

Bruteforcing from ONE host only, for distributed and/or slow attempts
it is useless. But stopping password guess attempts is only part of
defense, as password can be obtained by other ways too.

> In such cases of fail2ban bypassing, having a second banning
> mechanism can bring additional security, or peace of mind -- at least
> it does for me.

Moving protection from end apps to central auth service has many
advantages. They includes two most important things:

+ one can define rules at one place and do not care what end apps
  supports or do not supports
+ one can count attempts to different service at one place

That is exact job for dovecot's auth policy daemon, which can do a lot
of things, not only IP based, but it can also work with user/password
(hash) and distinguish between success, policy rejected and failed
logins. The only part, which is missing for me, is that current
dovecot's implementation cannot distinguish between not existent user
and failed password, but it is not big problem.

My policy daemon can not only block login for bad hosts, but it can eg.
blacklist user, when success logins come from many different IP, which
can indicate leaked password and thus minimize damage.

regards

-- 
Slavko
https://www.slavino.sk


pgpeocGbz0gfj.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Il 30/12/2021 19:46, Andrew C Aitchison ha scritto:

On Thu, 30 Dec 2021, Nicolas JEAN via mailop wrote:

From my understanding and tests, the first IMAP login attempt 
forwarded to dovecot is the actual login to roundcube.


Is the first auth request to dovecot the first login attempt to 
roundcube or the first *successful* login attempt to roundcube ?


It's the first login attempt to roundcube, which can't decide by itself 
whether it's successful or not. The credentials are forwarded to 
dovecot, which will tell yes or no (maybe just no because the client IP 
is blocklisted).
On my setup dovecot logs both successful and failed login attempts (I'm 
guessing this may depend on your config).



Or does it depend on whether roundcube is using dovecot authentication


Yes, it definitely depends. Here I was only covering the case where 
roundcube always makes IMAP requests to dovecot.
This is where said plugin is helpful in adding the client IP to those 
requests.



[...] scenarios of attackers [...] from many IPs (botnet)


If they are using a botnet the IP addresses are much less helpful for 
spotting the attack.


It's much more difficult to spot, I agree.

But my server is seeing about a dozen IPs making an attempt every half 
hour, all day long, for several days (then they probably go on trying 
other servers). After some time, some of the IPs come back to me and 
resume their shenanigans.


This is enough of a strange behaviour for me to block them 
automatically.  :)


Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Andrew C Aitchison via mailop]

On Thu, 30 Dec 2021, Nicolas JEAN via mailop wrote:


Il 29/12/2021 07:05, Slavko via mailop ha scritto:

I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be empty
(at least i hope), and client's IP will be blocked by fail2ban soon or
latter. Or i am wrong?


From my understanding and tests, the first IMAP login attempt forwarded to 
dovecot is the actual login to roundcube.
Therefore all later IMAP connections happen if and only if the first one was 
successful (legitimate user, or breach -- password found by attacker).


Is the first auth request to dovecot the first login attempt to roundcube 
or the first *successful* login attempt to roundcube ?

Or does it depend on whether roundcube is using dovecot authentication
(as at least on SMTP server can) ?

So I really want dovecot to know the originating IP for the _first_ login 
attempt.
Because brute-force and other attacks are going to fail at the roundcube 
login phase... until they've tried enough times to guess user passwords.


In order to stop attackers from guessing passwords on roundcube, I need 
dovecot to know the originating IPs at roundcube login phase. Then when some 
IP has failed X times to log in to roundcube, dovecot will block it.


*If* roundcube only passes successful logins to dovecot (my first 
question above) this wont work.



*Why not just fail2ban roundcube plugin?*

Brute-force protection can also be achieved by fail2ban, as mentioned by 
others.
But there are scenarios of attackers trying to evade brute-force detection by 
making password guesses only once in a while, e.g. every 30 minutes in my 
experience, from many IPs (botnet). See for example this story 
.


If they are using a botnet the IP addresses are much less helpful
for spotting the attack.

In such cases of fail2ban bypassing, having a second banning mechanism can 
bring additional security, or peace of mind -- at least it does for me.


--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Il 30/12/2021 04:39, John Levine via mailop ha scritto:

It appears that Mark Foster via mailop  said:

Maybe I need to be clear that I both use Roundcube, and operate it on a
private MTA. I havn't seen how my HTTP(S) IP address was encoded in any
emails i've sent using Roundcube, even as the operator of that platform.

Perhaps I missed something.

Nope. There's a plugin that adds an x-originating-ip header but unless
you use it, there's no way to tell the connecting user's IP without
access to the roundcube web logs.

https://github.com/corbosman/dovecot_ident


Just for the record, I'd advise to use this plugin 
 
instead, which


 * supports more http headers, making roundcube aware of originating
   client IPs even when behind a proxy;
 * has more comprehensive documentation;
 * only loads for necessary roundcube "tasks" (mail + login), see my
   patch and discussion with the plugin maintainer on MR !1
   
.

Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Il 29/12/2021 07:05, Slavko via mailop ha scritto:

I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be empty
(at least i hope), and client's IP will be blocked by fail2ban soon or
latter. Or i am wrong?


From my understanding and tests, the first IMAP login attempt forwarded 
to dovecot is the actual login to roundcube.
Therefore all later IMAP connections happen if and only if the first one 
was successful (legitimate user, or breach -- password found by attacker).


So I really want dovecot to know the originating IP for the _first_ 
login attempt.
Because brute-force and other attacks are going to fail at the roundcube 
login phase... until they've tried enough times to guess user passwords.


In order to stop attackers from guessing passwords on roundcube, I need 
dovecot to know the originating IPs at roundcube login phase. Then when 
some IP has failed X times to log in to roundcube, dovecot will block it.


*Why not just fail2ban roundcube plugin?*

Brute-force protection can also be achieved by fail2ban, as mentioned by 
others.
But there are scenarios of attackers trying to evade brute-force 
detection by making password guesses only once in a while, e.g. every 30 
minutes in my experience, from many IPs (botnet). See for example this 
story 
.


In such cases of fail2ban bypassing, having a second banning mechanism 
can bring additional security, or peace of mind -- at least it does for me.


Cheers,
Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[John Levine via mailop]

It appears that Mark Foster via mailop  said:
>Maybe I need to be clear that I both use Roundcube, and operate it on a 
>private MTA. I havn't seen how my HTTP(S) IP address was encoded in any 
>emails i've sent using Roundcube, even as the operator of that platform.
>
>Perhaps I missed something.

Nope. There's a plugin that adds an x-originating-ip header but unless
you use it, there's no way to tell the connecting user's IP without
access to the roundcube web logs.

https://github.com/corbosman/dovecot_ident

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Mark Foster via mailop]

On 29/12/2021 11:58 pm, Noel Butler via mailop wrote:


On 29/12/2021 14:15, Mark Foster via mailop wrote:



I use Roundcube myself and as a /user/ of the software, it hadn't 
occurred to me that, much like Gmail, people who send emails using 
this webmail tool have /full anonymity/ (except, of course, from the 
service operator).



Should have included this in previous,. went of on such  a rant I lost 
where I was LOL...
The problem I see is the OP wants the rules in dovecot, to also apply 
to a web server.  So what if RC gave clear text IP's, you add some 
config and block them at imap, do you think the badguys care? they 
will still be slamming your web server, so you have just moved the 
problem sideways, not cured it, as I said rcguard to force captcha 
after a couple failures, in combination with fail2ban - problem 
solved, bad guys dont get to webmail let alone hitting imap which 
still has to happen for dovecot to ignore them.



This might all be true if you're the webmail operator. It does the 
recipient of spam email no good at all, and whilst a responsible mail 
operator might take on an abuse complaint, trace the details of the 
abuser and do something to deter them, like this...  basically you're 
solving a different problem here.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Mark Foster via mailop]

On 29/12/2021 11:48 pm, Noel Butler via mailop wrote:
abuse reports filed with them... there's little evidence of this to an 
end-user/victim...)


I for one look forward to Roundcube building in the option to have 
the web IP included in headers,


Mark, you do realise, that information *is already there* in the 
header, well, for network operators it is, as its encrypted but 
roundcube has a tool for them to decrypt it, but you want them to put 
it plain text? when google and the like never will, wont win any fans 
with that request :)


Maybe I need to be clear that I both use Roundcube, and operate it on a 
private MTA. I havn't seen how my HTTP(S) IP address was encoded in any 
emails i've sent using Roundcube, even as the operator of that platform.


Perhaps I missed something.




But with a victims perspective in mind, feels like it'd be nice to 
show some public accountability. (And your IP address shouldn't be 
treated as PII kid-gloves... you expose it every time you access 
network resources)


Sure, but you are not exposing it to all and sundry are you, you are 
exposing it to those with authority to see it, webmasters, 
newsmasters, irc opers, facebook, google, microsoft admins, and so on, 
your not exposing it for say, me, or your neighbours to look at - 
unless you using our services lol.


If I send someone an email, I expect my email address to be presented as 
the sender. However it's relatively easy to forge these and very 
inexpensive to create a large number of disposable email addresses. 
There's such a large number of operators that full transparency is not 
available, and the headers failing to provide a link to the last-mile 
network provider just adds to the anonymity.  And when we're guaranteed 
anonymity, we know that people will take advantage for negative effect.


As for your 'authority to see it' comment... if I typo a web address in 
my browser, that's on me, but i'm giving my IP away to the person who 
operates the DNS server and webserver. Anyone can do this, so a 
malicious cybersquatter could potentially grab quite a bit of 
information about me. I know that, I make decisions aligned with that 
position. The idea of being 'authorised' is an amusing one... by using 
the Internet I do not assume full anonymity applies anywhere, but i'm so 
far down into the noise level that in practical terms, until I give 
someone reasons to look, I suppose that I am.  That's a level i'm fairly 
comfortable with.


If you use an SMTP mail client your home IP is given away. Plenty of 
webmail services log an HTTP(S) Received: line . I guess i'd just expect 
Roundcube to do the same.


People have a right to privacy, yes people have a right not to be a 
victim, that's where network operators come in, to identify and if 
need be deal with their user.


What purpose will it serve for the victim to know the IP of the person 
causing them harm? They cant exactly do anything with it, but report 
it to the users ISP, which is exactly what they need to do now to find 
out who it is, the ISP sure as hell is not going to tell the alleged 
victim their alleged perpetrators name and address or phone number or 
anything, I'm sure even the country with the worse privacy laws wont 
allow that.


If the only info you have is the mail service provider, and that mail 
service provider is a huge, freemail operator, noone is going to expect 
any real consequence to come out of reporting abusive activities.  The 
ISP is the party who's going to (more likely) have an actual commercial 
relationship with the malicious party. Onceuponatime these may have been 
the same parties, but no longer, ... if i'm reporting nefarious behavior 
I'd want to get as close to the actual offender as possible, an 
anonymously-signed-up-to freemail service is not going to care too 
much... they might block the account, there'll be ten more signed up in 
as many minutes, rinse and repeat.


Many years ago I was manning the abuse@ mailbox for an ISP who were 
offering free internet access services (paid for through telco 
interconnect revenues... this was a long time ago and in the dial-up 
era)... it taught me exactly how much abuse will come from accounts that 
people can sign up for with zero accountability.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Hans-Martin Mosner via mailop]

Am 29.12.21 um 13:32 schrieb Jaroslaw Rafa via mailop:


As far as I know, Gmail puts the originating IP of the client (browser)
connecting via HTTP into the first "Received" header, as plain text.


No, they don't. As a spamfighter, I'd wish they did, but I do understand the 
related privacy concerns.

Cheers,
Hans-Martin

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Jaroslaw Rafa via mailop]

Dnia 29.12.2021 o godz. 20:48:25 Noel Butler via mailop pisze:
> >I for one look forward to Roundcube building in the option to have
> >the web IP included in headers,
> 
> Mark, you do realise, that information *is already there* in the
> header, well, for network operators it is, as its encrypted but
> roundcube has a tool for them to decrypt it, but you want them to
> put it plain text? when google and the like never will, wont win any
> fans with that request :)

As far as I know, Gmail puts the originating IP of the client (browser)
connecting via HTTP into the first "Received" header, as plain text.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Noel Butler via mailop]

On 29/12/2021 14:15, Mark Foster via mailop wrote:

I use Roundcube myself and as a _user_ of the software, it hadn't 
occurred to me that, much like Gmail, people who send emails using this 
webmail tool have _full anonymity_ (except, of course, from the service 
operator).


Should have included this in previous,. went of on such  a rant I lost 
where I was LOL...


The problem I see is the OP wants the rules in dovecot, to also apply to 
a web server.  So what if RC gave clear text IP's, you add some config 
and block them at imap, do you think the badguys care? they will still 
be slamming your web server, so you have just moved the problem 
sideways, not cured it, as I said rcguard to force captcha after a 
couple failures, in combination with fail2ban - problem solved, bad guys 
dont get to webmail let alone hitting imap which still has to happen for 
dovecot to ignore them.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Noel Butler via mailop]

On 29/12/2021 14:15, Mark Foster via mailop wrote:

So your attitude is fine if you're a _good_ platform operator _and the 
victim _


Most operators will be better operators, as most of us dont have tools 
scanning its users emails to target advertising and christ knows what 
else they do with the information they scan whilst invading their users 
privacy.



(And Google have the added advantage of being too-big-to-block... and


Nobody is too big to block, not even google who love people like you 
touting this nonsense, because it gives them less incentive to police 
things, and yes we have blocked them before, and wont hesitate to do it 
again if need arises, just the same as with any org.


abuse reports filed with them... there's little evidence of this to an 
end-user/victim...)


I for one look forward to Roundcube building in the option to have the 
web IP included in headers,


Mark, you do realise, that information *is already there* in the header, 
well, for network operators it is, as its encrypted but roundcube has a 
tool for them to decrypt it, but you want them to put it plain text? 
when google and the like never will, wont win any fans with that request 
:)


But with a victims perspective in mind, feels like it'd be nice to show 
some public accountability. (And your IP address shouldn't be treated 
as PII kid-gloves... you expose it every time you access network 
resources)


Sure, but you are not exposing it to all and sundry are you, you are 
exposing it to those with authority to see it, webmasters, newsmasters, 
irc opers, facebook, google, microsoft admins, and so on, your not 
exposing it for say, me, or your neighbours to look at - unless you 
using our services lol.


People have a right to privacy, yes people have a right not to be a 
victim, that's where network operators come in, to identify and if need 
be deal with their user.


What purpose will it serve for the victim to know the IP of the person 
causing them harm? They cant exactly do anything with it, but report it 
to the users ISP, which is exactly what they need to do now to find out 
who it is, the ISP sure as hell is not going to tell the alleged victim 
their alleged perpetrators name and address or phone number or anything, 
I'm sure even the country with the worse privacy laws wont allow that.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Slavko via mailop]

Ahoj,

Dňa Tue, 28 Dec 2021 18:08:24 +0100 Nicolas JEAN via mailop
 napísal:

> Did you encounter the issue of the first IMAP connection not
> forwarding the actual client IP to dovecot?

OK, i try it, and i see it:

imap-login: Login: user=, method=PLAIN, rip=::1, ...
imap-login: Login: user=, method=PLAIN, rip=2001:...::1:1, ...

I removed timestamps (to short them), but these two lines appears
immediately one after other. And now i refresh my memory, that i saw
this when i installed (and test) that plugin.

I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be empty
(at least i hope), and client's IP will be blocked by fail2ban soon or
latter. Or i am wrong?

regards

-- 
Slavko
https://www.slavino.sk


pgp0OCwrHe87f.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Noel Butler via mailop]

On 29/12/2021 03:50, Jaroslaw Rafa via mailop wrote:


It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP 
that
Dovecot/Postfix gets is technically correct. No need to change it. On 
the
other hand, user's browser is talking HTTP to Roundcube, and Roundcube 
knows

it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.


Agreed, dovecot doesnt know - nor care - if its kmail, evolution, 
thunderbird, outlook, RC, imapproxy, or some other client, it's not its 
job to care.


RC has rcguard which works well, and as mentioned by another poster 
there is always fail2ban.


Frankly, I don't see any problem that needs addressing, and I guess 
neither do the RC team if this is as is claimed a "long standing" issue 
for a small minority.


As to the anti privacy brigade, suck it up, we are network operators, if 
we want to know who they are, we can, just means we have to multitask 
looking at two logs, i mean FFS, how hard is that, you already do this 
tracking local spammers actions and then looking them up in CRM or 
radius, or some other database.


get over it.
--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Il 28/12/2021 20:00, Andrew C Aitchison via mailop ha scritto:

On Tue, 28 Dec 2021, Jaroslaw Rafa via mailop wrote:

Can't these restrictions be just moved from Dovecot/Postfix to Roundcube
itself? Roundcube definitely knows the value of the 
$_SERVER["REMOTE_ADDR"]

variable and can make use of it...


If a provider makes both IMAP and Roundcube access available, any 
restrictions implemented on Roundcube would need to be duplicated on 
the IMAP service.


I tend to agree with Andrew here. If I have IP-based policies set up for 
dovecot already, I'd like them to be applicable to IMAP login attempts 
coming from roundcube as well.
(Policies as in collecting the data -- which IPs are making how many 
(failed) logins --, and deciding which of them to block -- brute-force 
and others.)



It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP 
that
Dovecot/Postfix gets is technically correct. No need to change it. On 
the
other hand, user's browser is talking HTTP to Roundcube, and 
Roundcube knows

it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.


*If* I understand correctly, Roundcube allows a user to interact with 
multiple mail-boxes, in which case Roundcube may not be under control 
of the same organisation as the IMAP account.


Also a good point.
In that case both organisations may have different policies, which seems 
fine. If I'm the one managing dovecot, I'd still like my security rules 
to be enforceable.


Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Hi Slavko,

Il 28/12/2021 17:35, Slavko via mailop ha scritto:

Dňa 28. decembra 2021 15:55:57 UTC používateľ Nicolas JEAN via 
mailop  napísal:

At least with dovecot you can 
usehttps://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip
which can add client's IP to login information (via IMAP's ID command).

I use it with my dovecot's auth policy daemon.


Nice!

Did you encounter the issue of the first IMAP connection not forwarding 
the actual client IP to dovecot? (the one sent from roundcube's login page)
This is what pushed me to write the mentioned patch 
.


Cheers,
Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Andrew C Aitchison via mailop]

On Tue, 28 Dec 2021, Jaroslaw Rafa via mailop wrote:


Dnia 28.12.2021 o godz. 07:17:43 Michael Peddemors via mailop pisze:


For us, the security value of passing the originating IP to the
Dovecot or SMTP layers for auth restrictions is paramount, as well
as other details on the originating sender. (Country AUTH
restrictions, OS Detection, and many more)


Can't these restrictions be just moved from Dovecot/Postfix to Roundcube
itself? Roundcube definitely knows the value of the $_SERVER["REMOTE_ADDR"]
variable and can make use of it...


If a provider makes both IMAP and Roundcube access available, any 
restrictions implemented on Roundcube would need to be duplicated

on the IMAP service.


It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP that
Dovecot/Postfix gets is technically correct. No need to change it. On the
other hand, user's browser is talking HTTP to Roundcube, and Roundcube knows
it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.


*If* I understand correctly, Roundcube allows a user to interact with 
multiple mail-boxes, in which case Roundcube may not be under control

of the same organisation as the IMAP account.

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Slavko via mailop]

Dňa 28. decembra 2021 17:08:24 UTC používateľ Nicolas JEAN via mailop 
 napísal:

>Did you encounter the issue of the first IMAP connection not forwarding 
>the actual client IP to dovecot? (the one sent from roundcube's login page)

Terrible to tell now, as i didn't care before and i am not at PC to see server's
log now. If i will not forget, i will try tomorrow.

In really nobody uses my roundcube, only as fallback or to edit sieve rules from
time to time...

Slavko
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Bonjour Dominique,
and thanks for your comments!

Il 28/12/2021 17:23, Dominique Rousseau via mailop ha scritto:

Le Tue, Dec 28, 2021 at 04:55:57PM +0100, Nicolas JEAN via mailop 
[mailop@mailop.org] a écrit:
(...)

My conclusion is that today, there's no technical way to forward
client IPs from roundcube to dovecot/postfix.

You mean... without patching ?
( you pointed to an issue on roundcube github which add the proxy of
orignal IP )
With the mentioned plugin & patch, client IPs are always forwarded to 
dovecot, so I believe we're clear on this front (IMAP login attempts).


Which left me thinking: what about SMTP login attempts? (forwarded from 
roundcube to postfix)
Hence this question 
 
on the roundcube's git.


But yes, my feeling is that we're getting closer to that technical 
solution.  ;)



As for limiting bruteforce attacks ( I believe that's one of the aims ),
you could also use somehting like this fail2ban plugin :

https://github.com/mattrude/rc-plugin-fail2ban

True, stumbled upon that one while researching, surely a nice to have!
I'm also looking for ways to detect and block other kinds of attacks, 
for example with dovecot auth policy.


Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Jay Hennigan via mailop]

On 12/28/21 09:27, Steven Champeon via mailop wrote:


I hope to die before that logic extends to hiding what channel you are
tuned into on a TV or radio for "privacy reasons". Infrastructure is
infrastructure, it's not like every packet you send has a social security
number or bank account routing number in it. Ridiculous.


In the off-the-air and analog cable model that is still the case, and 
IMHO should be when it comes to broadcast media delivered over cable and 
IP.


Do you really want your cable company selling lists of "Fox News 
Viewers" and "MSNBC Viewers" to anyone willing to pay for that data? 
Don't forget that politicians conveniently exempted themselves from TCPA 
and anti-spam laws.


How about content providers selling lists of which households watch 
which adult PPV channels?


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Richard W via mailop]

On 2021-12-28 11:27 a.m., Steven Champeon via mailop wrote:


I hope to die before that logic extends to hiding what channel you are
tuned into on a TV or radio for "privacy reasons". Infrastructure is
infrastructure, it's not like every packet you send has a social security
number or bank account routing number in it. Ridiculous.



Those that advocate IP addresses are PII still drive around with a 
license plate on their car.  That's even more PII out in the open as 
that is a static IP.


Richard
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Steven Champeon via mailop]

on Tue, Dec 28, 2021 at 07:17:43AM -0800, Michael Peddemors via mailop wrote:
> The problem isn't 'technical', but rather political.  There are
> those out there that believe by including the originating IP
> Address, you are exposing PPI (Private Personal Information) by
> including the IP Address.
> 
> Of course, I personally think this is baloney, as the email operator
> can simply tell customers that this information will be disclosed,
> as part of the terms of service.  By including the IP Address, you
> add transparency, security and safety to the communication.

I hope to die before that logic extends to hiding what channel you are
tuned into on a TV or radio for "privacy reasons". Infrastructure is
infrastructure, it's not like every packet you send has a social security
number or bank account routing number in it. Ridiculous.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
Internet security and antispam hostname intelligence: http://enemieslist.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Jaroslaw Rafa via mailop]

Dnia 28.12.2021 o godz. 07:17:43 Michael Peddemors via mailop pisze:
> 
> For us, the security value of passing the originating IP to the
> Dovecot or SMTP layers for auth restrictions is paramount, as well
> as other details on the originating sender. (Country AUTH
> restrictions, OS Detection, and many more)

Can't these restrictions be just moved from Dovecot/Postfix to Roundcube
itself? Roundcube definitely knows the value of the $_SERVER["REMOTE_ADDR"]
variable and can make use of it...

It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP that
Dovecot/Postfix gets is technically correct. No need to change it. On the
other hand, user's browser is talking HTTP to Roundcube, and Roundcube knows
it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[G. Miliotis via mailop]

On 2021-12-28 17:55, Nicolas JEAN via mailop wrote:
My conclusion is that today, there's no technical way to forward 
client IPs from roundcube to dovecot/postfix.


Doesn't the XFORWARD feature work for postfix? I thought that's how 
amavis for example talks to postfix. Usually via a dedicated master.cf 
entry.


http://www.postfix.org/XFORWARD_README.html

I would expect an additional issue to be that if one uses an imap proxy, 
the connections can't be "chunked" for all users, as you would need to 
re-auth everytime. So you may get reduced benefit from your proxy.


Best regards,
GM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Slavko via mailop]

Dňa 28. decembra 2021 15:55:57 UTC používateľ Nicolas JEAN via mailop 
 napísal:

>Still, even if I'm going to have all legalities cleared and my terms of 
>service updated...
>My conclusion is that today, there's no technical way to forward client 
>IPs from roundcube to dovecot/postfix.

At least with dovecot you can use 
https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip
which can add client's IP to login information (via IMAP's ID command).

I use it with my dovecot's auth policy daemon.

regards

Slavko
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs ??? dovecot, postfix

[Dominique Rousseau via mailop]

Hi,

Le Tue, Dec 28, 2021 at 04:55:57PM +0100, Nicolas JEAN via mailop 
[mailop@mailop.org] a écrit:
(...)
> >Possibly on install, it should ask the email operator for their
> >position, and 'maybe' warning them they should indicate that occurs
> >on their terms of service.  But of course, most operators don't
> >indicate that for instance the customers real name might be exposed
> >under certain circumstances.
> 
> Still, even if I'm going to have all legalities cleared and my terms of
> service updated...
> My conclusion is that today, there's no technical way to forward
> client IPs from roundcube to dovecot/postfix.

You mean... without patching ?
( you pointed to an issue on roundcube github which add the proxy of
orignal IP )


As for limiting bruteforce attacks ( I believe that's one of the aims ),
you could also use somehting like this fail2ban plugin :

https://github.com/mattrude/rc-plugin-fail2ban



-- 
Dominique Rousseau 
Neuronnexion, Prestataire Internet & Intranet
6 rue des Hautes cornes - 8 Amiens
tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Hi Michael,

Il 28/12/2021 16:17, Michael Peddemors via mailop ha scritto:
The problem isn't 'technical', but rather political.  There are those 
out there that believe by including the originating IP Address, you 
are exposing PPI (Private Personal Information) by including the IP 
Address.


Thanks for raising the legal issue here, it's valid and I hadn't thought 
of it.


Possibly on install, it should ask the email operator for their 
position, and 'maybe' warning them they should indicate that occurs on 
their terms of service.  But of course, most operators don't indicate 
that for instance the customers real name might be exposed under 
certain circumstances.


Still, even if I'm going to have all legalities cleared and my terms of 
service updated...
My conclusion is that today, there's no technical way to forward client 
IPs from roundcube to dovecot/postfix.


Suggest that you make a RoundCube enhancement with the packagers that 
the option be configured more easy on install.  The secondary issue, 
is to standardize how web mail would pass that information to the mail 
server, so you are not dealing with many different methods. And 
thirdly, in case of 'proxies' to the actual mailservers, how to pass 
that information through the proxy as well.


If the roundcube folks do include an option to enable this, I'll make 
sure to pass the word abut possible legal implications.


I agree with you on the standardised way of course, although my focus is 
on roundcube at the moment.


Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Roundcube client IPs → dovecot, postfix

[Michael Peddemors via mailop]

Hi Nicolas,

The problem isn't 'technical', but rather political.  There are those 
out there that believe by including the originating IP Address, you are 
exposing PPI (Private Personal Information) by including the IP Address.


Of course, I personally think this is baloney, as the email operator can 
simply tell customers that this information will be disclosed, as part 
of the terms of service.  By including the IP Address, you add 
transparency, security and safety to the communication.


But it should be easier and claerer for email operators to choose 
whether to include that information, on all web mail platforms.


Possibly on install, it should ask the email operator for their 
position, and 'maybe' warning them they should indicate that occurs on 
their terms of service.  But of course, most operators don't indicate 
that for instance the customers real name might be exposed under certain 
circumstances.


The world has gone far too anal in it's approach to privacy, at the 
expense of security, IMHO.


For us, the security value of passing the originating IP to the Dovecot 
or SMTP layers for auth restrictions is paramount, as well as other 
details on the originating sender. (Country AUTH restrictions, OS 
Detection, and many more)


Suggest that you make a RoundCube enhancement with the packagers that 
the option be configured more easy on install.  The secondary issue, is 
to standardize how web mail would pass that information to the mail 
server, so you are not dealing with many different methods.  And 
thirdly, in case of 'proxies' to the actual mailservers, how to pass 
that information through the proxy as well.


IMHO.

On 2021-12-28 5:55 a.m., Nicolas JEAN via mailop wrote:

Hi everyone,

I'd like to gather some thoughts on the following issue.

*Problem*

By default, roundcube login attempts (imap, smtp) are forwarded to 
dovecot/postfix without the original client IP that makes the request 
(possibly true of other webmail software).


This can't benefit from IP-based policies such as dovecot's auth policy 
: 
dovecot/postfix are always going to see localhost, internal reverse 
proxy's, or roundcube's IP address.


*Possible future solution*

There is a long-standing open issue 
 at roundcube to 
add /proxy protocol/ support.

This would make dovecot and postfix aware of requesting client IPs.

Unfortunately, it doesn't seem like it's going to be merged soon.

*Alternative*

There is a existing roundcube plugin 
 that 
adds client IPs to IMAP login attempts made to dovecot (which I've 
patched 
 
yesterday to send client IP on first IMAP login too).


I've also asked 
 
the roundcube community whether this would suffice; that is, if 
roundcube doesn't have an /unauthenticated/ endpoint for making SMTP 
login attemps (thus blocking IPs for IMAP could be enough).


*Ideas welcome*

Do you use webmails; if so, is this an issue for you as well?
Did you find a way to fix or work around it?
Do you feel like I'm on the right path here, or lost in a dangerous 
spacetime?


Thanks a lot in advance,
Nico


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Roundcube client IPs → dovecot, postfix

[Nicolas JEAN via mailop]

Hi everyone,

I'd like to gather some thoughts on the following issue.

*Problem*

By default, roundcube login attempts (imap, smtp) are forwarded to 
dovecot/postfix without the original client IP that makes the request 
(possibly true of other webmail software).


This can't benefit from IP-based policies such as dovecot's auth policy 
: 
dovecot/postfix are always going to see localhost, internal reverse 
proxy's, or roundcube's IP address.


*Possible future solution*

There is a long-standing open issue 
 at roundcube to 
add /proxy protocol/ support.

This would make dovecot and postfix aware of requesting client IPs.

Unfortunately, it doesn't seem like it's going to be merged soon.

*Alternative*

There is a existing roundcube plugin 
 that 
adds client IPs to IMAP login attempts made to dovecot (which I've 
patched 
 
yesterday to send client IP on first IMAP login too).


I've also asked 
 
the roundcube community whether this would suffice; that is, if 
roundcube doesn't have an /unauthenticated/ endpoint for making SMTP 
login attemps (thus blocking IPs for IMAP could be enough).


*Ideas welcome*

Do you use webmails; if so, is this an issue for you as well?
Did you find a way to fix or work around it?
Do you feel like I'm on the right path here, or lost in a dangerous 
spacetime?


Thanks a lot in advance,
Nico



OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop