Possible hack via doveadm
I currently have two servers running with synchronization that I've been very happy with. However, I'm seeing the following in my logs recently:
May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?)
Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this?
-- Daniel
On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:
May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?)
Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this?
Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection.
You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall
Jeremy
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
-- Daniel On May 13, 2023 6:25:06 PM jeremy ardley via dovecot <dovecot@dovecot.org> wrote:
On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:
May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?)
Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this?
Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection.
You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall
Jeremy
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On Sun, 14 May 2023, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
Maybe you want to show your configuration, and in particular the dsync_remote_cmd and the service doveadm { } part (where you define the listening port).
Normally (AFAIK anyway) the used port (12345 in the example in https://wiki.dovecot.org/Replication) is *not* the IMAP(S) port, so you must have set it to something.
For replication I'd recommend using a VPN, so that the dovecot instances communicate over the tunnel, and thus immune to anything from the outside world.
Cheers.
On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
You can set up a doveadm service that requires client certificates
service doveadm { inet_listener { port = 12345 } ssl = yes ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes }
Jeremy
Thank you Jeremy and Bernardo.
Adding cert verification is something I'll have to delve into. Also possibly pushing the replication through the VPN.
It's been a while since I last setup my replication pair - everything's been working smoothly so I've forgotten some of the key items. Particularly the need to open an explicit port for the doveadm connection - which of course I do have on a non-standard port and up till now it hasn't been an issue. I was fighting multiple config issues at the time - including network setup - so I left the communication purely through the external IP's instead of being VPN dependent. I may change that.
Fail2ban and other guards have blocked most port scanning and other junk
- this was the first time I saw such log lines in my mail log and it scared me. Now I know what to look for and what it means. Thanks again.
-- Daniel
------ Original Message ------ From "jeremy ardley via dovecot" <dovecot@dovecot.org> To dovecot@dovecot.org Date 5/14/2023 4:03:28 PM Subject Re: Possible hack via doveadm
On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
You can set up a doveadm service that requires client certificates
service doveadm { inet_listener { port = 12345 } ssl = yes ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes }
Jeremy
I use a tinc vpn mesh between the nodes. iptables only allows the nodes to talk to each on port 655, all else is dropped. Works well. I also have a setup using zerotier for the same thing - my ansible deployment playbook will use either one.
DC.
On 2023-05-14 11:29 am, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
-- Daniel
On May 13, 2023 6:25:06 PM jeremy ardley via dovecot <dovecot@dovecot.org> wrote:
On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:
May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?)
Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this?
Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection.
You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall
Jeremy
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (5)
-
Bernardo Reino
-
Daniel L. Miller
-
Daniel Miller
-
Dean Carpenter
-
jeremy ardley