Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List <dovecot at dovecot.org> ?mne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? ?-----Original Message----- From: dovecot <dovecot-bounces at dovecot.org> on behalf of Sebastian <sebastian at sebbe.eu> Reply-To: Dovecot Mailing List <dovecot at dovecot.org> Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' <dovecot at dovecot.org> Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r Alex Skickat: den 15 juli 2021 02:10 Till: dovecot at dovecot.org ?mne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5715 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20210715/ecebc90d/attachment.p7s>
White, Daniel E. (GSFC-770.0)[NICS]
2021-Jul-15 11:05 UTC
[EXTERNAL] Sv: function for whitelisting IPs
The custom login script -- in Dovecot or Roundcube or ? ? Is there any documentation for such scripting ? ?-----Original Message----- From: dovecot <dovecot-bounces at dovecot.org> on behalf of Sebastian <sebastian at sebbe.eu> Reply-To: Dovecot Mailing List <dovecot at dovecot.org> Date: Thursday, July 15, 2021 at 06:56 To: 'Mailing List' <dovecot at dovecot.org> Subject: [EXTERNAL] Sv: function for whitelisting IPs Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List <dovecot at dovecot.org> ?mne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? ?-----Original Message----- From: dovecot <dovecot-bounces at dovecot.org> on behalf of Sebastian <sebastian at sebbe.eu> Reply-To: Dovecot Mailing List <dovecot at dovecot.org> Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' <dovecot at dovecot.org> Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r Alex Skickat: den 15 juli 2021 02:10 Till: dovecot at dovecot.org ?mne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users.
I run a personal email server. I can't emphasize enough how geofencing has reduced the useless hacking on my email server. I only leave port 25 open to the world. I use port 587. I maintain a list of hosting companies that I block from using my web server since they are just going to scrape anyway. I also keep that IP space off of my email other than port 25. Firewalls use memory but tend to be very light on the CPU other than when you first start up the firewall. I assume they take the deny list and create a table in RAM to efficiently block IPs. I have found that dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden since that table needs to be refreshed as new IPs are added or removed so I have stopped using them. Not that the programs themselves are CPU intensive, but they cause the firewall to be CPU intensive. I am considering using sshguard again but with a very high threshold to add an IP to the deny list. Regarding attempts to add 2FA by using RoundCube or similar web based email, I think those programs just increase the attack surface. When I used a hosting service I was hacked by an unpatched exploit in RoundCube. ? Original Message ? From: sebastian at sebbe.eu Sent: July 15, 2021 3:55 AM To: dovecot at dovecot.org Reply-to: dovecot at dovecot.org Subject: Sv: function for whitelisting IPs Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List <dovecot at dovecot.org> ?mne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? ?-----Original Message----- From: dovecot <dovecot-bounces at dovecot.org> on behalf of Sebastian <sebastian at sebbe.eu> Reply-To: Dovecot Mailing List <dovecot at dovecot.org> Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' <dovecot at dovecot.org> Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission ??? Main problem is that not many clients do natively support multifactor. ??? Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. ??? Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. ??? So no, it cannot be relied upon. ??? I have a better idea: ??? Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. ??? Or perhaps, just "set" the country of the account based on GeoIP. ??? When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. ??? The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. ??? -----Ursprungligt meddelande----- ??? Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r Alex ??? Skickat: den 15 juli 2021 02:10 ??? Till: dovecot at dovecot.org ??? ?mne: 2FA/MFA with IMAP & postfix/submission ??? Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred ??? IMAP4 accounts, as well as postfix users using submission. Clients are ??? using primarily Outlook on Windows and old squirrelmail. ??? Are there multi-factor options available? ??? If it is not available, do you have any recommendations on where I ??? should look to do this? ??? All of the links related to this topic appear to be very old, or ??? limited to Linux PAM users.