Thats where you as a administrator must step in and put down the foot, and tell the users that they must adapt.
The best way here is to require that travelling users VPN to their home computers or home networks.
And they have to send via the 587 server to get accepted (ergo SPF on all domains)
Im not talking about blocking specific countries, but rather tying accounts to specific countries so the accounts can only be used from the countries where they "belong". To lessen the chance that spambots hacks the password.
Thats because email don't work so well with 2FA except for where there is webmail system.
The good with exim4 is that its very flexible in this regard and can be configured and adapted to require that customers connect from their "home countries" to get accepted.
You might lose some customers by setting such strict settings, but it will make them generally happier because deliverability will increase when your server isn't on blacklists.
-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Mark Elkins via Exim-users
Skickat: den 20 februari 2019 07:15
Till: exim-users@???
Ämne: Re: [exim] Spam though my server
Those customers with machines bolted to desks usually use the mail
server of their Internet supplier - via port 25 and with no authentication.
The main reason I have a Port 587 server with authentication is because
I appear to have a large portion of nomadic users. Some customers seem
to be very well travelled, going to places like China, USA and Europe
including Russia. GeoBlocking would be a bad idea.
I have a small operation from European standards, I run just over 1500
domains. A few are quite large with 100's of users, others have 10 or so
mail accounts. Only a few have SPF records - as and when all users from
that domain use my port 587 relay mail server.
On 2019/02/19 21:28, Sebastian Nielsen via Exim-users wrote:
> The idea is not to build a 100% foolproof solution.
> The idea is to limit the attack surface.
>
> Lets say you have 3 users with really crappy passwords:
>
> Username | Password | First login
> Postmaster : retsamtsoP : USA
> GoodUser : Password123 : Germany
> AnotherUser : qwertyuiop : Denmark
>
> Now lets say you implement my suggestion. A bot from china or russia will
> never be able to crack those accounts, because the GeoIP will fail the
> authentication, so even with correct username/password those accounts will
> still say failed.
> Even if they do a long shot and use a TOR node or VPN from USA, they will
> still only have a chance against the Postmaster account, nothing else.
>
> So you greatly limit the attack surface, since the attacker must "be" in the
> same region as the attacked account to even have an chance to succeed.
>
> That there is some false positives doesn't matter, because those people must
> still have the real account name and password to succeed, and they must know
> which accounts that are really geoIPt to that country.
>
> If all users are in the same country, you simply geoIP in the firewall, and
> then the port 587 will be closed and invisible for every hosts except from
> the right country, so bots that are scanning large IP series will just skip
> over your server.
>
>
> -----Ursprungligt meddelande-----
> Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Niels
> Dettenbach via Exim-users
> Skickat: den 19 februari 2019 20:00
> Till: exim-users@???; Sebastian Nielsen <sebastian@???>
> Kopia: 'Odhiambo Washington' <odhiambo@???>
> Ämne: Re: [exim] Spam though my server
>
> Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via
> Exim-users:
>> Most better firewalls do have an built-in country/GeoIP database, if not,
>> you can easily add one.
> GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of
>
> a IP address. It offers only a "probably in this country" info in context of
> a
> IP address (user). This means the amount of false positives in practice is
> significant, except if users came from "known" AS networks or RIR
> assignmenets
> / route info. So this may (!) help/work in small and/or very defined network
>
> topologies.
>
> I know the situation in germany is a bit different, as the internet topology
> /
> "market" is very "centralized" here, but even in germany many less kown IP
> access products / services available get "geo-resolved" over other (usually
> western) countries / regions by GeoIP (even the commercial version).
>
> I know from many african and asian Mail Providers who use "US", "european"
> or
> "canadian" IPs for their service to get around "problems" with such Geo-
> blocking solutions.
>
> Proper geolocation of IPs is a "science by itself", but still far from
> reliable. Many brute force attack attempts against our exim systems
> (germany+luxembourg) are currently coming from france and germany today.
>
> For smaller systems, solutions like fail2ban could help "far":
> https://www.fail2ban.org/wiki/index.php/Exim
>
> But even here: Be aware of possible "bad cases" where i.e. larger NAT
> networks "use" the service and "sloppy" user clients generate false
> positives.
>
> Beside Exim functionality (see Exim DOS prevention - incl. resource
> "reserve"
> subsystem) firewall rules to slow out "to much" of new initiated sessions
> within a time window could help. But brute force attackes are normal / usual
>
> on larger SMTP services today - important is to make it difficult to prevent
>
> any success of such attackes (even distributed ones) and "DOS effects" of
> them
> and similiar attackes.
>
>
> good luck,
>
>
> niels.
>
>
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
