dovecot - Oct 2020 - Looking for a guide to collect all e-mail from the ISP mail server

>>"Never use a  browser for email."
I don't agree.
In fact, using a browser for email or atleast initial setup, is actually more
secure. This because SMTP/IMAP clients normally don't support 2FA, so you
would have to "hack" a solution to enable 2FA for email.

This can be made in 2 ways: Either, you have a full fledged email setup. Whats
important, is, to prevent auth-bypass holes, you remove the authentication in
RoundCube or whatever webmail you use, and instead use a reverse-proxy or
firewall authentication instead. Thus an unauthenticated user doesn't even
touch RoundCube/webmail at all, but must authenticate at a prior stage.

The second way, is to not have webmail at all, but instead have a authentication
gateway in browser, where you must auth with 2FA and captcha. The only purpose
of this gateway, is to authenticate users with 2FA before their IP is
whitelisted.

After this, you simply have a script, that upon valid login (with 2FA) in either
webmail or auth gateway, you set the authorized IP of the user to this. Whats
happen then, is that each account will have an authorized IP attached (you could
limit it to the /24 to cater for mobile clients), and then login to that
account, will only be accepted from that authorized IP.

This then allows SMTP/IMAP usage from that IP.
If you want to go even more secure, you could restrict the firewall to the list
of all IPs that all users have dynamically, and then in the SMTP/IMAP server,
lock down auth to the authorized IP of that particular user account only.

Its very important, that upon authing with a incorrect IP, that the server
responds in the same way as a invalid password was specified, in this way, if
someone attempts to bruteforce the password, they will "miss" the
correct password, if the server does not react differently to a correct password
but invalid IP. Thus bots that bruteforce will not gain any success.


All this can be combined with permanent whitelists and geoIP whitelists, to
avoid users having to authenticate with 2FA for "trusted" locations.
One example would be to have the local office as permanent whitelist, and also
have it that any IP in the user's "home country" is permanently
whitelisted for his account once the user authenticates with 2FA.

Other IPs outside his home country, is then only whitelisted once, next 2FA
login, the old whitelist is simply deleted.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201026/7d072cef/attachment.p7s>

Good luck with all that coding. I have four years now of running my own email
server. Zero hacks. I keep the attack surface to a minimum. Less is more.

One thing you don't want to do is write your own code. This stuff is always
way harder than you think. Worse yet you run alpha generation code because you
are the only one using it. All software has bugs. What you need is a mass of
users flogging the code and finding the bugs.

Now if you do use a browser, you have to deal with leaks, bugs, possible process
interaction if more than one tab is open, and possibly browser extensions hacks
if extensions are used.

Count me out. 

And did you miss the part where I was hacked via RoundCube? 






	? Original Message ?	


From: sebastian at sebbe.eu
Sent: October 25, 2020 9:47 PM
To: dovecot at dovecot.org
Reply-to: dovecot at dovecot.org
Subject: SV: Looking for a guide to collect all e-mail from the ISP mail server

>>"Never use a? browser for email."
I don't agree.
In fact, using a browser for email or atleast initial setup, is actually more
secure. This because SMTP/IMAP clients normally don't support 2FA, so you
would have to "hack" a solution to enable 2FA for email.

This can be made in 2 ways: Either, you have a full fledged email setup. Whats
important, is, to prevent auth-bypass holes, you remove the authentication in
RoundCube or whatever webmail you use, and instead use a reverse-proxy or
firewall authentication instead. Thus an unauthenticated user doesn't even
touch RoundCube/webmail at all, but must authenticate at a prior stage.

The second way, is to not have webmail at all, but instead have a authentication
gateway in browser, where you must auth with 2FA and captcha. The only purpose
of this gateway, is to authenticate users with 2FA before their IP is
whitelisted.

After this, you simply have a script, that upon valid login (with 2FA) in either
webmail or auth gateway, you set the authorized IP of the user to this. Whats
happen then, is that each account will have an authorized IP attached (you could
limit it to the /24 to cater for mobile clients), and then login to that
account, will only be accepted from that authorized IP.

This then allows SMTP/IMAP usage from that IP.
If you want to go even more secure, you could restrict the firewall to the list
of all IPs that all users have dynamically, and then in the SMTP/IMAP server,
lock down auth to the authorized IP of that particular user account only.

Its very important, that upon authing with a incorrect IP, that the server
responds in the same way as a invalid password was specified, in this way, if
someone attempts to bruteforce the password, they will "miss" the
correct password, if the server does not react differently to a correct password
but invalid IP. Thus bots that bruteforce will not gain any success.


All this can be combined with permanent whitelists and geoIP whitelists, to
avoid users having to authenticate with 2FA for "trusted" locations.
One example would be to have the local office as permanent whitelist, and also
have it that any IP in the user's "home country" is permanently
whitelisted for his account once the user authenticates with 2FA.

Other IPs outside his home country, is then only whitelisted once, next 2FA
login, the old whitelist is simply deleted.

Amen to that!

-----Original Message-----
From: lists [mailto:lists at lazygranch.com] 
Sent: Monday, October 26, 2020 7:09 AM
To: Dovecot Mailing List
Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP 
mail server

Good luck with all that coding. I have four years now of running my own 
email server. Zero hacks. I keep the attack surface to a minimum. Less 
is more. 

One thing you don't want to do is write your own code. This stuff is 
always way harder than you think. Worse yet you run alpha generation 
code because you are the only one using it. All software has bugs. What 
you need is a mass of users flogging the code and finding the bugs. 

Now if you do use a browser, you have to deal with leaks, bugs, possible 
process interaction if more than one tab is open, and possibly browser 
extensions hacks if extensions are used. 

Count me out. 

And did you miss the part where I was hacked via RoundCube?

On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian at sebbe.eu>
wrote:
> The second way, is to not have webmail at all, but instead have a
authentication gateway in browser, where you must auth with 2FA and captcha. The
only purpose of this gateway, is to authenticate users with 2FA before their IP
is whitelisted.
I mostly agree with the sentiments in your email, but whitelsiting IP addresses
is a HORRIBLE idea and a massive gaping security hole and using a captcha is
only slightly less horrible and user-hostile. If you are using 2FA there is
absolutely no reason to use a captcha.

A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good
passwords and using TLS is good enough for nearly all use cases.

(I recently upped the minimum password length from 12 characters)

-- 
Ah we're lonely, we're romantic / and the cider's laced with acid /
	and the Holy Spirit's crying, Where's the beef? / And the moon is
	swimming naked / and the summer night is fragrant / with a mighty
	expectation of relief

1: I meant like this:

Without whitelisting, you can't login to SMTP or IMAP, password isn't
valid
at all.

To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA
gateway, and login with:
Username + password + 2FA code + captcha.

When all is valid, then your IP is whitelisted for SMTP and IMAP access.
This still means you have to use usename/password for SMTP/IMAP.

So how would this be a security hole?
Instead of using only username+password for SMTP/IMAP?
The whitelisting procedure ADDS to the security. The baseline security with
username+password is already there, but now you ALSO need a whitelisted IP
to even get a chance to authenticate.

Kind of stupid that there doesn't exist some common standard for 2FA that
works in email clients. Some clients do support TLS client certificates, and
some clients do support certain "extensions" for 2FA auth. But only
common
supported in all clients is password auth without 2FA, which is pretty
insecure.

Outlook have solved 2FA auth with a webview that uses OAUTH to create a
authentication token, for use with SMTP/IMAP using some proprietary
extension with gmail and hotmail.
But that webview is not something you can trigger from a third party
service.

Captcha is there to prevent bruteforcing. If a valid captcha is submitted
along with a 2FA code, you could lock out the account for 1 minute for each
invalid attempt.
If a invalid captcha is submitted, you ignore the request  completely.
This then prevents a attacker from flooding the server with invalid auth
requests for the sole purpose of keeping a user locked out. (Account Lockout
DDoS attack)


I had problems with my mail password getting hacked all the time. The
instant I added IP whitelist to my system and blocked all non-approved IPs
from authenticating at all (so you must have username + password + correct
IP to gain access) - then all hacking of my passwords have stopped. IP
lockout was the solution to my problems.


2: The idea with the reverse-proxy gateway, is only to prevent auth-bypass
or non-authenticated security holes. If you have a web service that has a
suspected vulnerability that could be used without authenticating, or could
be used to bypass authentication, then you put a reverse proxy in front. The
reverse proxy does the authentication, and only forwards requests belongning
to authenticated users.
Even if the webservice behind, has a auth-bypass hole, it cannot be
exploited, as the reverse proxy is behind the service, and non-authenticated
users cannot even touch the webservice at all.


-----Ursprungligt meddelande-----
Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r
@lbutlr
Skickat: den 27 oktober 2020 15:57
Till: dovecot mailing list <dovecot at dovecot.org>
?mne: Re: Looking for a guide to collect all e-mail from the ISP mail server

On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian at sebbe.eu>
wrote:
> The second way, is to not have webmail at all, but instead have a
authentication gateway in browser, where you must auth with 2FA and captcha.
The only purpose of this gateway, is to authenticate users with 2FA before
their IP is whitelisted.

I mostly agree with the sentiments in your email, but whitelsiting IP
addresses is a HORRIBLE idea and a massive gaping security hole and using a
captcha is only slightly less horrible and user-hostile. If you are using
2FA there is absolutely no reason to use a captcha.

A 2FA gateway that reverse proxies the webmail is quite good, but enforcing
good passwords and using TLS is good enough for nearly all use cases.

(I recently upped the minimum password length from 12 characters)

-- 
Ah we're lonely, we're romantic / and the cider's laced with acid /
	and the Holy Spirit's crying, Where's the beef? / And the moon is
	swimming naked / and the summer night is fragrant / with a mighty
	expectation of relief


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201027/0599b1e6/attachment-0001.p7s>