Re: [exim] Dovecot style Authentication Policy Server for Ex…

Top Page
This message is part of the following thread:
M--+\the complete thread tree sorted by date
M+\MMAndrew Nimmo at <-
MMMMMJeremy Harris at ->
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim users, Mike Tubby
Subject: Re: [exim] Dovecot style Authentication Policy Server for Exim?

Top posting seems the best style for this reply.
I have pruned the original question.

There is a Dovecot Authenticator for Exim (spec.txt chapter 37)
I'm not sure whether $sender_host_address is passed to Dovecot,
so it may or may not be possible to enforce the GEOIP policy
(but I'd be tempted to do that in a firewall such as iptables
before the connection reaches exim unless the location of the
logging is critical).

On Tue, 17 Mar 2020, Mike Tubby via Exim-users wrote:

> Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system
> whereby it can make a web-services call to to an Authentication Policy
> Server:
>
> 1. ___ command: on connect, before authentication
> 2. ___ command: on connect, after authentication
> 3. ___ report: on final outcome of policy + authentication
>
> It would be "really good"(tm) if Exim could implement a similar
> concept/service/API as it would allow me to leverage GEOIP against possible
> attackers of some (protected) services and report back in to a common
> database of failed connections for (a) GEOIP policy or (b) username/password
> authentication failure.
>
> I currently use GEOIP from the DBIP database on a local server with a bit of
> PHP I hacked together to satisfy the Dovecot web-services API via nginx on
> localhost in the server in question and its been enlightening to see  where
> requests are coming from...   It appears that I am currently receiving around
> 1500-2000 IMAP connects per day from botnets with half-valid/half-guessed
> credentials, for example:


> While this log is for Dovecot, it would be really good (tm) if Exim could
> make similar call outs to an Authentication Policy Server, perhaps passing:
>
> ___ 1. Remote IP address (IPv4/IPv6)
> ___ 2. If the session is plain-text or upgraded to SSL/TLS
> ___ 3. Which SSL/TLS Cipher is in use
> ___ 4. The username presented at start of auth
> ___ 5. Some sort of hash of the password presented at auth - like Dovecot
> does
>
> Has anyone implemented a Dovecot-a-like authentication policy server for
> Exim
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Dovecot style Authentication Policy Server for Exim?Re: [exim] Dovecot style Authentication Policy Server for Exim?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)