[exim] Dovecot style Authentication Policy Server for Exim?

Top Page
This message is part of the following thread:
M--+\the complete thread tree sorted by date
M+\MM 
MMMMMHeiko Schlittermann at ->
Delete this message
Reply to this message
Author: Mike Tubby
Date:  
To: exim users
Subject: [exim] Dovecot style Authentication Policy Server for Exim?
All,

Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system
whereby it can make a web-services call to to an Authentication Policy
Server:

1.     command: on connect, before authentication
2.     command: on connect, after authentication
3.     report: on final outcome of policy + authentication

It would be "really good"(tm) if Exim could implement a similar
concept/service/API as it would allow me to leverage GEOIP against
possible attackers of some (protected) services and report back in to a
common database of failed connections for (a) GEOIP policy or (b)
username/password authentication failure.

I currently use GEOIP from the DBIP database on a local server with a
bit of PHP I hacked together to satisfy the Dovecot web-services API via
nginx on localhost in the server in question and its been enlightening
to see  where requests are coming from...   It appears that I am
currently receiving around 1500-2000 IMAP connects per day from botnets
with half-valid/half-guessed credentials, for example:

| 24317 | 2020-03-16 17:40:02 | IMAP     | andy@???           |
122.139.5.237                           | CN      |       0
|             1 |
| 24323 | 2020-03-16 17:43:50 | IMAP     | stuart.carter@???  |
60.171.116.44                           | CN      |       0
|             1 |
| 24372 | 2020-03-16 18:15:21 | IMAP     | tina.smith@???     |
173.245.239.107                         | US      |       0
|             1 |
| 24418 | 2020-03-16 18:49:31 | IMAP     | andy.smith@???     |
98.143.145.26                           | US      |       0
|             1 |
| 24430 | 2020-03-16 18:54:02 | IMAP     | andy@???           |
183.89.237.90                           | TH      |       0
|             1 |
| 24447 | 2020-03-16 19:04:59 | IMAP     | andy.smith@???     |
60.171.155.26                           | CN      |       0
|             1 |
| 24456 | 2020-03-16 19:10:05 | IMAP     | accounts@???       |
171.103.43.70                           | TH      |       0
|             1 |
| 24478 | 2020-03-16 19:28:39 | IMAP     | dirk.taylor@???    |
113.21.116.29                           | NC      |       0
|             1 |
| 24498 | 2020-03-16 19:43:25 | IMAP     | kime.davis@???     |
45.224.105.50                           | AR      |       0
|             1 |
| 24531 | 2020-03-16 20:06:47 | IMAP     | sam@???            |
45.224.104.168                          | AR      |       0
|             1 |
| 24549 | 2020-03-16 20:21:29 | IMAP     | sam@???            |
218.189.15.187                          | HK      |       0
|             1 |
| 24613 | 2020-03-16 21:02:02 | IMAP     | simon.jackson@???  |
183.233.143.22                          | CN      |       0
|             1 |
| 24623 | 2020-03-16 21:06:59 | IMAP     | andy.smith@???     |
221.228.242.13                          | CN      |       0
|             1 |
| 24635 | 2020-03-16 21:13:10 | IMAP     | sam.harper@???     |
200.31.28.219                           | EC      |       0
|             1 |
| 24649 | 2020-03-16 21:20:32 | IMAP     | dirk.taylor@???    |
202.171.77.194                          | NC      |       0
|             1 |
| 24658 | 2020-03-16 21:26:57 | IMAP     | benigni@???        |
45.224.105.82                           | AR      |       0
|             1 |
| 24677 | 2020-03-16 21:37:09 | IMAP     | chris.dew@???      |
61.136.81.154                           | CN      |       0
|             1 |
| 24688 | 2020-03-16 21:46:24 | IMAP     | simon@???          |
74.129.111.231                          | US      |       0
|             1 |
| 24692 | 2020-03-16 21:48:04 | IMAP     | mike.davis@???     |
66.110.216.19                           | US      |       0
|             1 |
| 24700 | 2020-03-16 21:53:25 | IMAP     | mike-davis@???     |
45.224.105.113                          | AR      |       0
|             1 |
| 24706 | 2020-03-16 21:54:54 | IMAP     | sales@???          |
14.161.22.104                           | VN      |       0
|             1 |
| 24707 | 2020-03-16 21:55:21 | IMAP     | mike-davis@???     |
124.41.193.12                           | NP      |       0
|             1 |
| 24724 | 2020-03-16 22:08:12 | IMAP     | tina.smith@???     |
80.210.26.154                           | IR      |       0
|             1 |
| 24727 | 2020-03-16 22:09:34 | IMAP     | simon.jackson@???  |
124.207.209.114                         | CN      |       0
|             1 |
| 24775 | 2020-03-16 22:48:42 | IMAP     | andy@???           |
221.229.247.179                         | CN      |       0
|             1 |
| 24819 | 2020-03-16 23:23:06 | IMAP     | dirk.taylor@???    |
220.164.2.90                            | CN      |       0
|             1 |

in the above I have changed the usernames/domain names to protect the
innocent, however the IP addresses and country codes are real. The last
two columns booleans and are "auth success" and "country policy rejected"


While this log is for Dovecot, it would be really good (tm) if Exim
could make similar call outs to an Authentication Policy Server, perhaps
passing:

    1. Remote IP address (IPv4/IPv6)
    2. If the session is plain-text or upgraded to SSL/TLS
    3. Which SSL/TLS Cipher is in use
    4. The username presented at start of auth
    5. Some sort of hash of the password presented at auth - like
Dovecor does


Has anyone implemented  a Dovecot-a-like authentication policy server
for Exim


Mike



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] unable to authenticte (4.89 maybe conf error?)Re: [exim] Dovecot style Authentication Policy Server for Exim?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)