Re: [exim] Dovecot style Authentication Policy Server for Ex…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Mike Tubby
Datum:  
To: Andrew C Aitchison
CC: exim users
Betreff: Re: [exim] Dovecot style Authentication Policy Server for Exim?


On 18/03/2020 09:07, Andrew C Aitchison wrote:
> On Tue, 17 Mar 2020, Mike Tubby via Exim-users wrote:
>
>> The PHP back-end accepts a POST on a URI with form data that contains:
>>
>> * email address
>> * password
>> * remote IP address
>>
>> the back-end considers:
>>
>>    a) the username/password pair - for authentication
>>    b) the GEOIP of the remote IP address - for authorization
>>
>> in the virtual mailbox/virtual user database, plus the remote IP in a
>> local copy of the DBIP GeoIP database and returns a HTTP response code:
>>
>> * 204 On success (no data)
>> * 403 Forbidden (for authentication failure or GEOIP authorization fail)
>> * 400 Bad Request (for non supported methods or incomplete form data)
>>
>> and logs the username (email address) and remote IP address along
>> with authentication success/fail and GEOIP policy success/fail and
>> country code to a 'connection_log' table in MySQL.
>
> If/when a legitimate user goes to a GEOIP restricted location
> (OK that isn't likely while covid-19 ...) they will send their password
> before being told to go away.
>
> Is there a reason you cannot do the GeoIP block at connection time,
> or at least before the password prompt ?
>


Because I need to log the reason for failure whether it is (a) due to
GEOIP or (b) due to failed authentication.

Dovecot's authentication policy server achieves this by calling out
three times:

* Once, on connect, before authentication ("command")
* Once after authentication was attempted ("command")
* Once on final outcome ("result")

This approach allows me to respond with accept/reject based on GEOIP at
connect (which dovecot remembers) but carries on going through the auth
process (even though the outcome is prejudged to fail) so I still see
the username used in the authentication attempt and the final outcome
(result) which I write back to a database table:

MariaDB [mail]> describe connection_log;
+---------------+---------------------+------+-----+---------------------+----------------+
| Field         | Type                | Null | Key | Default            
| Extra          |

+---------------+---------------------+------+-----+---------------------+----------------+
| id            | int(10) unsigned    | NO   | PRI | NULL               
| auto_increment |
| datetime      | datetime            | NO   |     | current_timestamp()

|                |
| protocol      | varchar(10)         | NO   |     | NULL               

|                |
| username      | varchar(80)         | NO   |     | NULL               

|                |
| remote_ip     | varchar(40)         | NO   |     | NULL               

|                |
| country       | varchar(4)          | NO   |     | NULL               

|                |
| auth_ok       | tinyint(1) unsigned | YES  |     | NULL               

|                |
| policy_reject | tinyint(1) unsigned | YES  |     | NULL               

|                |
+---------------+---------------------+------+-----+---------------------+----------------+

that collects stuff like this:

------------------------------+----------+----------------------------+-----------------------------------------+---------+---------+---------------+
| id    | datetime            | protocol | username                   |

remote_ip                               | country | auth_ok |
policy_reject |
+-------+---------------------+----------+----------------------------+-----------------------------------------+---------+---------+---------------+
| 25834 | 2020-03-17 12:04:50 | IMAP     | mike.tubby@???     |

122.11.169.35                           | SG      |       0
|             1 |
| 25852 | 2020-03-17 12:15:27 | IMAP     | stuart.davies@???  |

173.254.227.90                          | US      |       0
|             1 |
| 25854 | 2020-03-17 12:16:54 | IMAP     | simon@???          |

222.161.47.82                           | CN      |       0
|             1 |
| 25872 | 2020-03-17 12:29:31 | IMAP     | kime.tubby@???     |

183.167.225.165                         | CN      |       0
|             1 |
| 25878 | 2020-03-17 12:34:10 | IMAP     | david.young@???    |

118.163.143.170                         | TW      |       0
|             1 |
| 25916 | 2020-03-17 12:56:58 | IMAP     | stuart@???         |

187.189.230.250                         | MX      |       0
|             1 |
| 25928 | 2020-03-17 13:04:42 | IMAP     | andy@???           |

173.245.239.187                         | US      |       0
|             1 |
| 26113 | 2020-03-17 14:37:21 | IMAP     | jim.harper@???     |

177.135.101.5                           | BR      |       0
|             1 |
+-------+---------------------+----------+----------------------------+-----------------------------------------+---------+---------+---------------+

which gives me valuable data on who's email accounts are being attacked
and where from. [Usernames changed to protect the innocent; query
dropped successful auth and GB based entries]

This, in turn, satisfies infosec compliance where we have to keep 3
months worth of access logs.

Dovecot already does it "out of the box" I want to do something similar
for Exim.


Mike