Re: [exim] Dovecot style Authentication Policy Server for Ex…

Inizio della pagina
Delete this message
Reply to this message
Autore: Mike Tubby
Data:  
To: Andrew C Aitchison, exim users
Oggetto: Re: [exim] Dovecot style Authentication Policy Server for Exim?
Thanks all for the ideas ... I'm on the case...

I have a PHP back-end under Nginx serving the Dovecot Authentication
Policy Server - I have forked this code to produce an Exim version for
the back-end and am just testing a PERL test-harness which I will
translate into a PERL authentication shim.

Right now, at the time of writing, my PERL test harness looks like this:

#!/usr/bin/perl
#
# test.pl -- test the Web Services authenticator for Exim
#
use strict;
use warnings;
use LWP::UserAgent ();
use Data::Dumper;

my $email = "myemail@???";
my $pass = "secret";
my $remote = "1.2.3.4";

my $ua = LWP::UserAgent->new(
    agent => 'EximAuth/0.01',
    timeout => 3
);

my %form;
$form{'email'} = $email;
$form{'password'} = $pass;
$form{'remote'} = $remote;

my $response = $ua->post('http://mailserver.example.com/exim-auth.php',
\%form);
print Dumper($response);
my $code = $response->code();
print "CODE: >>>$code<<<\n";


The PHP back-end accepts a POST on a URI with form data that contains:

* email address
* password
* remote IP address

the back-end considers:

    a) the username/password pair - for authentication
    b) the GEOIP of the remote IP address - for authorization

in the virtual mailbox/virtual user database, plus the remote IP in a
local copy of the DBIP GeoIP database and returns a HTTP response code:

* 204 On success (no data)
* 403 Forbidden (for authentication failure or GEOIP authorization fail)
* 400 Bad Request (for non supported methods or incomplete form data)

and logs the username (email address) and remote IP address along with
authentication success/fail and GEOIP policy success/fail and country
code to a 'connection_log' table in MySQL.

I will replace the test code with an Exim/Perl shim that does the same
thing but returns authentication 'success' or 'failure' and coerce Exim
into using it in the authenticators, later ...


The reason for all of this is that we have seen a very significant
change in the threat landscape in the last couple of years ... examining
our Dovecot logs (via the connection log/authentication policy server)
we see about 40% of failed logins from China, about 10-15% of failed
logins from Russia/Russian Federation and the rest from botnets that
present IP addresses from all over the world.

This drives us to use a more complete authentication system along with
logging and surveillance, for monitoring, reporting and compliance.

Happy to share our experiences, ideas and solutions with anyone that has
similar issues to address ...


Mike



On 17/03/2020 19:49, Andrew C Aitchison wrote:
>
> Top posting seems the best style for this reply.
> I have pruned the original question.
>
> There is a Dovecot Authenticator for Exim (spec.txt chapter 37)
> I'm not sure whether $sender_host_address is passed to Dovecot,
> so it may or may not be possible to enforce the GEOIP policy
> (but I'd be tempted to do that in a firewall such as iptables
> before the connection reaches exim unless the location of the
> logging is critical).
>
> On Tue, 17 Mar 2020, Mike Tubby via Exim-users wrote:
>
>> Dovecot IMAP/POP3 server has a built-in Authentication Policy
>> sub-system whereby it can make a web-services call to to an
>> Authentication Policy Server:
>>
>> 1.  ___ command: on connect, before authentication
>> 2.  ___ command: on connect, after authentication
>> 3.  ___ report: on final outcome of policy + authentication
>>
>> It would be "really good"(tm) if Exim could implement a similar
>> concept/service/API as it would allow me to leverage GEOIP against
>> possible attackers of some (protected) services and report back in to
>> a common database of failed connections for (a) GEOIP policy or (b)
>> username/password authentication failure.
>>
>> I currently use GEOIP from the DBIP database on a local server with a
>> bit of PHP I hacked together to satisfy the Dovecot web-services API
>> via nginx on localhost in the server in question and its been
>> enlightening to see  where requests are coming from...   It
>> appears that I am currently receiving around 1500-2000 IMAP connects
>> per day from botnets with half-valid/half-guessed credentials, for
>> example:
>
>
>> While this log is for Dovecot, it would be really good (tm) if Exim
>> could make similar call outs to an Authentication Policy Server,
>> perhaps passing:
>>
>> ___ 1. Remote IP address (IPv4/IPv6)
>> ___ 2. If the session is plain-text or upgraded to SSL/TLS
>> ___ 3. Which SSL/TLS Cipher is in use
>> ___ 4. The username presented at start of auth
>> ___ 5. Some sort of hash of the password presented at auth - like
>> Dovecot
>> does
>>
>> Has anyone implemented a Dovecot-a-like authentication policy server
>> for Exim