For webmail, implement TOTP.
If you allow client access (Submission, IMAP etc) from outside, then:
Either restrict to internal network only, or require VPN.
== OR ==
Best would be to use GeoIP to, on first login, lock the account to the GeoIP country the current IP has.
That would severely limit any intrusions, since the attack surface is now limited to the same country as the user.
Another way would be to use the webmail login as a "whitelisting" system, so when they login to the webmail (with TOTP), their Class C (or even class B if you don't want to lock out too hard) is whitelisted for 7 days. Multiple entires can be whitelisted. Thus if their client-mail stops working, they have to login to webmail ONCE to "reactivate".
This also would limit the attack surface greatly, to a single ISP or a few ISPs.
You should be able to create something using MySQL lookups and possible $acl_c0 and such to relay the connected IP to the authenticator, and then do a IP check against the MySQL database.
-----Ursprungligt meddelande-----
Från: Mark Elkins via Exim-users <exim-users@???>
Skickat: den 29 juni 2020 14:56
Till: exim-users@???
Ämne: [exim] Looking for an example
Hello group,
I'm looking for an example for how to cure this problem.
Every now and then, a user will give his password to a bad actor (Social Engineering). That bad person then goes to my webmail interface and sends out a lot of SPAM e-mail - which goes to my port 587 (only) Exim (version 4.94)..
The mail server then gets black-listed :-(
Of course - then everyone suffers.
All my users details are in a MySQL Database. Ideally - I could change their status to "disabled" - but still need to handle the SPAM being sent out from their account details. Perhaps I'd lookup the "X-Originating-IP" and if there - not do a delivery?
What are the "Best Practises" with handling this?
An example of a "bad" email (the H file) might look like... (as untouched as possible)
1jX2Tv-00A32n-Ka-H
mail 8 12
<mothapom@???>
1588942319 2
-received_time_usec .638108
-helo_name webmail.vweb.co.za
-host_address 2001:42a0::5.36176
-interface_address 2001:42a0::71.587
-received_protocol esmtps
-body_linecount 48
-max_received_linelength 74
-frozen 1589015756
-tls_cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
-tls_sni relay.vweb.co.za
-tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGaTCCBVGgAwIBAgISAw6 [Lots deleted] 4isptageh9BnUwAwJw==\n-----END CERTIFICATE-----\n YY wryer@??? YY wrongdoer@??? YY wristwatch@??? [20+ lines deleted] NN yards@??? NN yawn@???
50
wrinkle@???
wrinkling@???
[20+ lines deleted]
swarthy@???
swathes@???
255P Received: from [2001:42a0::5] (port=36176 helo=webmail.vweb.co.za)
by relay.vweb.co.za with esmtps
(TLSv1.3:TLS_AES_256_GCM_SHA384:256)
(Exim 4.92.2)
(envelope-from <mothapom@???>)
id 1jX2Tv-00A32n-Ka; Fri, 08 May 2020 14:51:59 +0200
018 Mime-Version: 1.0
038 Date: Fri, 08 May 2020 12:52:10 +0000
087 Content-Type: multipart/alternative;
boundary="--=_RainLoop_183_170848428.1588942330"
026 X-Mailer: RainLoop/1.11.3
057F From: "Mrs. Agnes Adams" <mothapom@???> 068I Message-ID: <f48e1f3d5cf34a6e7f03fe0d1b6487a8@???>
030R Reply-To: jm4065278@???
012 Subject: HI
034 X-Originating-IP: 197.220.169.156
--
Mark James ELKINS - Posix Systems - (South) Africa mje@??? Tel: +27.826010496 <tel:+27826010496> For fast, reliable, low cost Internet in ZA:
https://ftth.posix.co.za
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
