Re: [exim] Closing off Port to non-SSL traffic

Top Pagina
Delete this message
Reply to this message
Auteur: Sebastian Nielsen
Datum:  
Aan: 'Mailing List'
Onderwerp: Re: [exim] Closing off Port to non-SSL traffic
Yeah what I mean is that you on the submission port 587, restrict which IPs are allowed to authenticate. I had a big problem with bots guessing my password all the time, until I put in IP restriction, the problem disappeared immediately. Now I can see, if I wireshark with TLS keys attached, that the attackers, run over the correct password and just try the next and next one, because the server doesn't tell if the password is correct or not if their IP isn't allowed to authenticate.
They seem to use wordlists to hack the password.

So what you do, is using auth_advertise_hosts on port 587 to lock out so people cannot authenticate unless they ALSO comes from the right country or even better, the right network or ISP.

You could also combine this with a per-user based IP check in a custom authentication function, so a user can only authenticate from the country for which they first authenticated from, basically, save GeoIP first time user logs on, and then next time user logs on, GeoIP have to match.
That gives maximum security, since a hacker needs to authenticate from the same country as the user is residing in.

-----Ursprungligt meddelande-----
Från: Mark Elkins via Exim-users <exim-users@???>
Skickat: den 25 juni 2022 10:31
Till: 'Mailing List' <exim-users@???>
Ämne: Re: [exim] Closing off Port to non-SSL traffic

Not sure if I'm missing the boat or what but - for one of my users to send email - they must use mail Submission port 587 - and nothing else.
That's on a server that only listens on port 587. This works fine until a user "shares" their password. I also have a script that looks how many emails are in the Send queue and get excited if it grows too large. They use Port 587 with STARTTLS encryption.

My users can not send mail via port 25 (or 465) with User authentication by design - on the other mail server that they fetch (POP3@995/IMAP@993) mail from.

Technically - inbound emails can come from anywhere - I have some native Russian and Chinese clients as well - so can't block emails from there.
Anyway lots of Spam & attacks seem to come from the USA and Europe - I currently live in South Africa, am from the UK.


On 6/24/22 10:45 PM, Sebastian Nielsen via Exim-users wrote:
> Best way here is to add your users primary country to the auth_advertise_hosts list. Could be quite a IP list, but you can store it in a file if you want, by using a lookup condition.
> Then if they travel to a non-approved country, they have to be without mail or be approved by you as administrator.
>
> I don't know how many primary countries your users have, but could guess you only have a few. Which limits the attack surface, since only attacks from same country as the users will be go through.
>
> -----Ursprungligt meddelande-----
> Från: Slavko via Exim-users<exim-users@???>
> Skickat: den 24 juni 2022 08:19
> Till: 'Mailing List'<exim-users@???>
> Ämne: Re: [exim] Closing off Port to non-SSL traffic
>
> Dňa 23. júna 2022 22:15:48 UTC používateľ Sebastian Nielsen via Exim-users<exim-users@???> napísal:
>
>> I solved that with:
>> auth_advertise_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
> This helps only for single user MTA, my real users connects even from multiple countries...
>
>> 2022-06-10 23:50:20 SMTP protocol error in "AUTH LOGIN" H=(User)
>> [45.85.190.59] AUTH command used when not advertised
> That is pretty simple, just add this IP to firewall's DROP. To
> automatize its banning, use fail2ban. But be aware, that they will
> often try from other IP soon. I have 100 - 800 different IPs per day,
> most of them has only one attempt allowed here, it is some thousands
> of IPs in last
> 24 days (maximum ipset timeout) from whole word.
>
> I am happy, that i long time ago decided to separate MX & MSA roles even for my small email system, which allow me simple reject "EHLO User" (and other strict rules) on MX port's 25, which are common on MSA.
>
> regards
>
> Slavko
>
> --
> ## List details athttps://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details athttp://www.exim.org/ ## Please use the Wiki with
> this list -http://wiki.exim.org/
>
>

--

Mark James ELKINS - Posix Systems - (South) Africa mje@??? Tel: +27.826010496 <tel:+27826010496> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za <https://ftth.posix.co.za>


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/