Those customers with machines bolted to desks usually use the mail
server of their Internet supplier - via port 25 and with no authentication.
The main reason I have a Port 587 server with authentication is because
I appear to have a large portion of nomadic users. Some customers seem
to be very well travelled, going to places like China, USA and Europe
including Russia. GeoBlocking would be a bad idea.
I have a small operation from European standards, I run just over 1500
domains. A few are quite large with 100's of users, others have 10 or so
mail accounts. Only a few have SPF records - as and when all users from
that domain use my port 587 relay mail server.
On 2019/02/19 21:28, Sebastian Nielsen via Exim-users wrote:
> The idea is not to build a 100% foolproof solution.
> The idea is to limit the attack surface.
>
> Lets say you have 3 users with really crappy passwords:
>
> Username | Password | First login
> Postmaster : retsamtsoP : USA
> GoodUser : Password123 : Germany
> AnotherUser : qwertyuiop : Denmark
>
> Now lets say you implement my suggestion. A bot from china or russia will
> never be able to crack those accounts, because the GeoIP will fail the
> authentication, so even with correct username/password those accounts will
> still say failed.
> Even if they do a long shot and use a TOR node or VPN from USA, they will
> still only have a chance against the Postmaster account, nothing else.
>
> So you greatly limit the attack surface, since the attacker must "be" in the
> same region as the attacked account to even have an chance to succeed.
>
> That there is some false positives doesn't matter, because those people must
> still have the real account name and password to succeed, and they must know
> which accounts that are really geoIPt to that country.
>
> If all users are in the same country, you simply geoIP in the firewall, and
> then the port 587 will be closed and invisible for every hosts except from
> the right country, so bots that are scanning large IP series will just skip
> over your server.
>
>
> -----Ursprungligt meddelande-----
> Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Niels
> Dettenbach via Exim-users
> Skickat: den 19 februari 2019 20:00
> Till: exim-users@???; Sebastian Nielsen <sebastian@???>
> Kopia: 'Odhiambo Washington' <odhiambo@???>
> Ämne: Re: [exim] Spam though my server
>
> Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via
> Exim-users:
>> Most better firewalls do have an built-in country/GeoIP database, if not,
>> you can easily add one.
> GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of
>
> a IP address. It offers only a "probably in this country" info in context of
> a
> IP address (user). This means the amount of false positives in practice is
> significant, except if users came from "known" AS networks or RIR
> assignmenets
> / route info. So this may (!) help/work in small and/or very defined network
>
> topologies.
>
> I know the situation in germany is a bit different, as the internet topology
> /
> "market" is very "centralized" here, but even in germany many less kown IP
> access products / services available get "geo-resolved" over other (usually
> western) countries / regions by GeoIP (even the commercial version).
>
> I know from many african and asian Mail Providers who use "US", "european"
> or
> "canadian" IPs for their service to get around "problems" with such Geo-
> blocking solutions.
>
> Proper geolocation of IPs is a "science by itself", but still far from
> reliable. Many brute force attack attempts against our exim systems
> (germany+luxembourg) are currently coming from france and germany today.
>
> For smaller systems, solutions like fail2ban could help "far":
> https://www.fail2ban.org/wiki/index.php/Exim
>
> But even here: Be aware of possible "bad cases" where i.e. larger NAT
> networks "use" the service and "sloppy" user clients generate false
> positives.
>
> Beside Exim functionality (see Exim DOS prevention - incl. resource
> "reserve"
> subsystem) firewall rules to slow out "to much" of new initiated sessions
> within a time window could help. But brute force attackes are normal / usual
>
> on larger SMTP services today - important is to make it difficult to prevent
>
> any success of such attackes (even distributed ones) and "DOS effects" of
> them
> and similiar attackes.
>
>
> good luck,
>
>
> niels.
>
>
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
