With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work. Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20211113/c8539994/attachment.html>
An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20211113/0d4e1a45/attachment.html>
* Tyler Montney:> Since this is getting increasingly complicated, I wanted to ask before > going further. What do you all do? Any recommendations?Use strong (as in long and/or randomised and impossible to break using rainbow table attacks) passwords which are used only once (!) and kept either in the user's brain or in an encrypted password store. Ensure that authentication data can only be transmitted over encrypted connections. These measures cover a lot of ground, if the users are sufficiently disciplined. Users are usually the weakest link. -Ralph
> Op 13 nov. 2021 om 22:17 heeft Tyler Montney <montneytyler at gmail.com> het volgende geschreven: > > ? > With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work. > > Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?If I remember correctly, Dovecot is able to do IP whitelisting in the userdb or passdb. That way, you don?t have to close your mail ports, but you can add an additional layer of protection with an IP whitelist per mailbox.
On 2021-11-13 22:16, Tyler Montney wrote:> Since this is getting increasingly complicated, I wanted to ask before > going further. What do you all do? Any recommendations?in the end we all know how to play ludo passwords is hard to guess if its odd number of chars, and random selected chars filled with 6 digest as must please confirm your mobil phone numbers is already :) worst case is when sites dont allow more then 12 chars as the password, hmm dont share how many chars used could be part of the game if password used can be divided by 7 will it be a even or odd number ? its still sunday here
I will throw in a few interesting projects which have kept my small servers safe: *) firehol.org *) crowdsec.net *) www.fail2ban.org Have a look at those interesting projects! On 13.11.21 22:16, Tyler Montney wrote:> With the world of ransomware as it is today (aka attacks seem more > vicious and commonplace), anything I expose to WAN must have > additional protection. I've seen a few posts to this list on it. The > only thing that helped was that Dovecot supports OAuth. Through OAuth > I figure I could implement MFA. However, I'd have to host my own > identity server. From there, Thunderbird supports OAuth so that should > work. > > Since this is getting increasingly complicated, I wanted to ask before > going further. What do you all do? Any recommendations?
On 13/11/2021 23:16, Tyler Montney wrote:> With the world of ransomware as it is today (aka attacks seem more > vicious and commonplace), anything I expose to WAN must have additional > protection. I've seen a few posts to this list on it. The only thing > that helped was that Dovecot supports OAuth. Through OAuth I figure I > could implement MFA. However, I'd have to host my own identity server. > From there, Thunderbird supports OAuth so that should work. > > Since this is getting increasingly complicated, I wanted to ask before > going further. What do you all do? Any recommendations?May also consider black listing, or even better, white listing country IPs. A white list firewall, if you only have to deal with certain country for example, will also work extremely well and it is quite easy to maintain and update as well as simple and fast and very effective. And if you need sporadically to use it outside your white listing, VPN works great.