Sebastian Nielsen
2020-Oct-26 04:47 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
>>"Never use a browser for email."I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email. This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage. The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted. After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP. This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only. Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success. All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA. Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5715 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20201026/7d072cef/attachment.p7s>
lists
2020-Oct-26 06:08 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
Good luck with all that coding. I have four years now of running my own email server. Zero hacks. I keep the attack surface to a minimum. Less is more. One thing you don't want to do is write your own code. This stuff is always way harder than you think. Worse yet you run alpha generation code because you are the only one using it. All software has bugs. What you need is a mass of users flogging the code and finding the bugs. Now if you do use a browser, you have to deal with leaks, bugs, possible process interaction if more than one tab is open, and possibly browser extensions hacks if extensions are used. Count me out. And did you miss the part where I was hacked via RoundCube? ? Original Message ? From: sebastian at sebbe.eu Sent: October 25, 2020 9:47 PM To: dovecot at dovecot.org Reply-to: dovecot at dovecot.org Subject: SV: Looking for a guide to collect all e-mail from the ISP mail server>>"Never use a? browser for email."I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email. This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage. The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted. After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP. This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only. Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success. All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA. Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted.
Marc Roos
2020-Oct-26 08:04 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
Amen to that! -----Original Message----- From: lists [mailto:lists at lazygranch.com] Sent: Monday, October 26, 2020 7:09 AM To: Dovecot Mailing List Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail server Good luck with all that coding. I have four years now of running my own email server. Zero hacks. I keep the attack surface to a minimum. Less is more. One thing you don't want to do is write your own code. This stuff is always way harder than you think. Worse yet you run alpha generation code because you are the only one using it. All software has bugs. What you need is a mass of users flogging the code and finding the bugs. Now if you do use a browser, you have to deal with leaks, bugs, possible process interaction if more than one tab is open, and possibly browser extensions hacks if extensions are used. Count me out. And did you miss the part where I was hacked via RoundCube?
@lbutlr
2020-Oct-27 14:56 UTC
Looking for a guide to collect all e-mail from the ISP mail server
On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian at sebbe.eu> wrote:> The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted.I mostly agree with the sentiments in your email, but whitelsiting IP addresses is a HORRIBLE idea and a massive gaping security hole and using a captcha is only slightly less horrible and user-hostile. If you are using 2FA there is absolutely no reason to use a captcha. A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good passwords and using TLS is good enough for nearly all use cases. (I recently upped the minimum password length from 12 characters) -- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief
Sebastian Nielsen
2020-Oct-27 15:16 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
1: I meant like this: Without whitelisting, you can't login to SMTP or IMAP, password isn't valid at all. To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA gateway, and login with: Username + password + 2FA code + captcha. When all is valid, then your IP is whitelisted for SMTP and IMAP access. This still means you have to use usename/password for SMTP/IMAP. So how would this be a security hole? Instead of using only username+password for SMTP/IMAP? The whitelisting procedure ADDS to the security. The baseline security with username+password is already there, but now you ALSO need a whitelisted IP to even get a chance to authenticate. Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients. Some clients do support TLS client certificates, and some clients do support certain "extensions" for 2FA auth. But only common supported in all clients is password auth without 2FA, which is pretty insecure. Outlook have solved 2FA auth with a webview that uses OAUTH to create a authentication token, for use with SMTP/IMAP using some proprietary extension with gmail and hotmail. But that webview is not something you can trigger from a third party service. Captcha is there to prevent bruteforcing. If a valid captcha is submitted along with a 2FA code, you could lock out the account for 1 minute for each invalid attempt. If a invalid captcha is submitted, you ignore the request completely. This then prevents a attacker from flooding the server with invalid auth requests for the sole purpose of keeping a user locked out. (Account Lockout DDoS attack) I had problems with my mail password getting hacked all the time. The instant I added IP whitelist to my system and blocked all non-approved IPs from authenticating at all (so you must have username + password + correct IP to gain access) - then all hacking of my passwords have stopped. IP lockout was the solution to my problems. 2: The idea with the reverse-proxy gateway, is only to prevent auth-bypass or non-authenticated security holes. If you have a web service that has a suspected vulnerability that could be used without authenticating, or could be used to bypass authentication, then you put a reverse proxy in front. The reverse proxy does the authentication, and only forwards requests belongning to authenticated users. Even if the webservice behind, has a auth-bypass hole, it cannot be exploited, as the reverse proxy is behind the service, and non-authenticated users cannot even touch the webservice at all. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r @lbutlr Skickat: den 27 oktober 2020 15:57 Till: dovecot mailing list <dovecot at dovecot.org> ?mne: Re: Looking for a guide to collect all e-mail from the ISP mail server On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian at sebbe.eu> wrote:> The second way, is to not have webmail at all, but instead have aauthentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted. I mostly agree with the sentiments in your email, but whitelsiting IP addresses is a HORRIBLE idea and a massive gaping security hole and using a captcha is only slightly less horrible and user-hostile. If you are using 2FA there is absolutely no reason to use a captcha. A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good passwords and using TLS is good enough for nearly all use cases. (I recently upped the minimum password length from 12 characters) -- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5715 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20201027/0599b1e6/attachment-0001.p7s>
Seemingly Similar Threads
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
- DKIM fail if WHM adds Message-ID, should be Message-Id