Re: [exim] New compromise...?

Top Page
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: exim-users
Subject: Re: [exim] New compromise...?
Another way to deal with compromises is to IP-restrict the user accounts so they can only login from where they are supposed to login from.
If ALL of your users "belong" to the same country - for example i fits a company-internal email server, I would suggest set auth_advertise_hosts to a list of CIDR ranges that your country, or even better, your company, uses.

If different users belong to different countries, for example if you run a webhosting company, I would suggest putting the country that was used to either register the account, or the country who did issue the credit card that was used to pay for the webhosting, in a database.

Then in the authenticator, you verify that the users geoIP country for the IP he is logging in from, does match the country in the database.
Theres different solutions for this, the most "ugly" hackish solution is to append the country to the password before hashing, and upon login, append the users geoIP country to the password before hashing.
Other solutions involve custom authenticators that also validate the country as part of authentication.

If the user then login from a "incorrect" country, the password will come out as invalid, even if he specifies a correct password.

-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Heiko Schlittermann via Exim-users
Skickat: den 25 september 2019 11:31
Till: exim-users@???
Ämne: Re: [exim] New compromise...?

Mark Elkins via Exim-users <exim-users@???> (Mi 25 Sep 2019 03:47:41 EDT):
> However - from my viewpoint, the Username used in the authentication
> "myclient@???" should be the same as the "From".. i.e. <=
> minanilo@???.
> Is there a neat way to drop emails when the "From" is not the same as the
> PLAIN authenticated name?


Yes

In the authenticator use

    server_set_id =


either by just setting $auth1 or $auth2 (depending on the auth
mechanism, for PLAIN $auth2, for LOGIN $auth1).
Or use the authenticated ID ($auth…) (Or use $authN
for a lookup, e.g. to map it to sender addresses)

Note, the authenticated id will appear in the outgoing message.

In MAIL ACL (or later) you can block messages from authenticated users
if authenticated ID does not match the sender address, or you can
ratelimit on the authenticated ID


    MAIL ACL


        deny    message = sorry, sender must match user name
                authenticated = *
               !sender_address = $authenticated_id


or count the distinct recipients per user, allow a burst (so 100/1d
isn't the same as 50/12h)

    RCPT ACL


        deny    message = sorry, too many distinct recipients
                authenticated = *
                ratelimit = 100/1d / per_addr / $authenticated_id


Not tested, not verified against the spec, may contain typos or other
errors. But you should get the idea.

    Best regards from Atlanta/GA
    Viele Grüße aus Atlanta/USA
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -