Strategies for protecting IMAP (e.g. MFA)
André Rodier
andre at rodier.me
Sun Nov 14 18:08:18 UTC 2021
On 14/11/2021 18:03, Lefteris Tsintjelis wrote:
> On 14/11/2021 14:50, Kees van Vloten wrote:
>>
>> Apart from a really nice firewall firehol also supplies a good set of
>> ip-blacklists.
>>
>> For public exposure of email ports, I am using the combination of
>> firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on
>> geo-ip. The mail-client ports exposed are 993 and 465, because
>> starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
>>
>> Full access from any IP (except firehol-blacklist and fail2ban) is
>> possible over VPN (openvpn) with MFA (privacyidea).
>> Privacyidea also supplies a mobile-app compatible with a.o. TOTP and
>> HOTP but it provides a more secure way of enrollment (2-step).
>>
>> Thanks for pointing at crowdsec.net, will see if it can tighten
>> security further in cooperation with the above.
>>
>> - Kees
>
> The problem I faced over the years, with so many IPs, was that the black
> listing way would reach its limits at some point. Using the classic
> fail2ban expiration dates and method, over time, never actually manages
> to get rid of them as they keep on trying and trying. I needed to expand
> the blacklist expiration time limits way high but that reached firewall
> limitations so I personally switched to a permanent white list
> firewalling, as I could do that, and it really got rid of a lot of my
> headaches with just about all my public services.
>
> Black listing would work in case of central dedicated anf large
> firewalls but for smaller solutions I think country white listing
> firewall is far better method.
>
> What would also be interesting is something similar to the spamcop
> combined with crowdsec reporting system so that it can be used to
> effectively analyze and reduce all those bots.
>
> The Spamhouse DROP list would also be a good permanent black list
> addition to any border routers or stand alone public services.
>
> https://www.spamhaus.org/drop/
Perhaps I was not clear in my last message. Have a look to this
documentation:
https://homebox.readthedocs.io/en/latest/email-access-monitoring/
I am available if you have any question to implement something similar
yourself. Extending the system to add a second factor authentication is
probably easy enough.
Kind regards,
André
--
𝓐𝓡 - André Rodier
More information about the dovecot
mailing list