On 2021-11-14 7:55 a.m., Lefteris Tsintjelis wrote:
On 13/11/2021 23:16, Tyler Montney wrote:
With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.
Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?
May also consider black listing, or even better, white listing country IPs. A white list firewall, if you only have to deal with certain country for example, will also work extremely well and it is quite easy to maintain and update as well as simple and fast and very effective.
And if you need sporadically to use it outside your white listing, VPN works great.
Our threat teams do a lot of work around IMAP threats, and a couple of things to note.. there is a marked increase of IMAP attackers using cloud infrastructure for IMAP hacks..
You might ask the question, do you need to allow IMAP access from the cloud, or do you expect only email clients to access them.
If the later, consider blocking AWS, GoogleCloud, Azure from connecting to your IMAP. Note, it may affect certain VPN anonymizers, or Desk Top in the Cloud, but in general given the predilection of certain hacking groups for those, you might like to control that.
And there are RBL's now for know IP(s) used by IMAP hackers, including SpamRats RATS-AUTH that can assist in reducing those attacks.
And for 'some' IMAP operators, country AUTH blocking might be valuable. Of course, you have to consider your users, and what they can do when traveling or vacationing. A step forward, is to do country AUTH blocking, and insist they use a email client which supports MFA when traveling, or force them to use webmail.
Of course, transparent 2FA is the way to go in the long run. Time to update that pull request, so that plugins can dynamically control CAPABILITY advertisements.
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.