Strategies for protecting IMAP (e.g. MFA)
Apart from a really nice firewall firehol also supplies a good set of ip-blacklists.
For public exposure of email ports, I am using the combination of firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on geo-ip. The mail-client ports exposed are 993 and 465, because starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten security further in cooperation with the above.
- Kees
On 14-11-2021 11:33, infoomatic wrote:
I will throw in a few interesting projects which have kept my small servers safe:
*) firehol.org
*) crowdsec.net
*) www.fail2ban.org
Have a look at those interesting projects!
On 13.11.21 22:16, Tyler Montney wrote:
With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.
Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step).
How are you managing dns/clients etc so only the email traffic is goes through the vpn and no other traffic?
On 14-11-2021 13:56, Marc wrote:
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step). How are you managing dns/clients etc so only the email traffic is goes through the vpn and no other traffic?
There are different use-cases:
Mobile(phone) users will use the externally exposed mail-ports, i.e. they have access from the geo-ip whitelist. This way the mail-app on the phone can be used easily.
Home or laptop users will use the VPN to get full-access through the VPN. I redirect DNS through the VPN (i.e. all queries) but not all other traffic (no default gateway change).
A last case not mentioned earlier is webmail, which is also hidden behind privacyidea MFA.
The policy is to use MFA when you first connect to the network from an untrusted location, the one exception is mail over 993/465 but instead that is limited by blacklists, geo-ip and fail2ban.
- Kees
On 14/11/2021 14:50, Kees van Vloten wrote:
Apart from a really nice firewall firehol also supplies a good set of ip-blacklists.
For public exposure of email ports, I am using the combination of firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on geo-ip. The mail-client ports exposed are 993 and 465, because starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten security further in cooperation with the above.
- Kees
The problem I faced over the years, with so many IPs, was that the black listing way would reach its limits at some point. Using the classic fail2ban expiration dates and method, over time, never actually manages to get rid of them as they keep on trying and trying. I needed to expand the blacklist expiration time limits way high but that reached firewall limitations so I personally switched to a permanent white list firewalling, as I could do that, and it really got rid of a lot of my headaches with just about all my public services.
Black listing would work in case of central dedicated anf large firewalls but for smaller solutions I think country white listing firewall is far better method.
What would also be interesting is something similar to the spamcop combined with crowdsec reporting system so that it can be used to effectively analyze and reduce all those bots.
The Spamhouse DROP list would also be a good permanent black list addition to any border routers or stand alone public services.
On 14/11/2021 18:03, Lefteris Tsintjelis wrote:
On 14/11/2021 14:50, Kees van Vloten wrote:
Apart from a really nice firewall firehol also supplies a good set of ip-blacklists.
For public exposure of email ports, I am using the combination of firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on geo-ip. The mail-client ports exposed are 993 and 465, because starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten security further in cooperation with the above.
- Kees
The problem I faced over the years, with so many IPs, was that the black listing way would reach its limits at some point. Using the classic fail2ban expiration dates and method, over time, never actually manages to get rid of them as they keep on trying and trying. I needed to expand the blacklist expiration time limits way high but that reached firewall limitations so I personally switched to a permanent white list firewalling, as I could do that, and it really got rid of a lot of my headaches with just about all my public services.
Black listing would work in case of central dedicated anf large firewalls but for smaller solutions I think country white listing firewall is far better method.
What would also be interesting is something similar to the spamcop combined with crowdsec reporting system so that it can be used to effectively analyze and reduce all those bots.
The Spamhouse DROP list would also be a good permanent black list addition to any border routers or stand alone public services.
Perhaps I was not clear in my last message. Have a look to this documentation:
https://homebox.readthedocs.io/en/latest/email-access-monitoring/
I am available if you have any question to implement something similar yourself. Extending the system to add a second factor authentication is probably easy enough.
Kind regards, André
-- 𝓐𝓡 - André Rodier
participants (4)
-
André Rodier
-
Kees van Vloten
-
Lefteris Tsintjelis
-
Marc