[Patch] blocklist access control for dovecot pop3/imap and pigeonhole managesieve
Hi
Just in case this is useful more generally, I'm posting it to the list.
While Dovecot has an access control via allow_nets, it is a user database field that applies only at the authentication stage to deny access for the specific user when there is a connection attempt from an unauthorized ip for that user.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I don't believe there is anything that checks access at connect time to deny unwanted traffic prior to authentication, for example from compromised machines, botnets etc. Though failed connection attempts do not appear to be a significant issue, maybe better to add some safety net for the future.
The attached patch is proof of concept code that introduces the parameters rbl_check and rbl_check_timeout (msecs) to the protocol section. Tested for imap, pop3 and sieve. The following is an example for sieve.
protocol sieve { rbl_check = zen.spamhaus.net=127.0.0.4
rbl_check_timeout = 5000
}
If the lookup results in a hit the client is disconnected with a BYE "Disconnected for policy." message and the logs report:
Jun 09 12:00:56 server.example.com dovecot[977650]: managesieve-login: Disconnected: Policy (disconnected before auth was ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n
The patch also makes the number of pre-login errors and post-login errors configurable (max_login_command_errors and max_command_errors respectively) for pop3, imap and sieve protocols .
protocol sieve {
max_command_errors = 1 max_login_command_errors = 1
}
A potential extension to the logic would be "allow_nets" and "disallow_nets" parameters or maybe something more sophisticated to allow ips/networks that would otherwise be blocked or deny additional ips/networks.
John
The files themselves didn't make it through the list server. I'll try with .txt
On 09/06/2024 15:42, John Fawcett via dovecot wrote:
Hi
Just in case this is useful more generally, I'm posting it to the list.
While Dovecot has an access control via allow_nets, it is a user database field that applies only at the authentication stage to deny access for the specific user when there is a connection attempt from an unauthorized ip for that user.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I don't believe there is anything that checks access at connect time to deny unwanted traffic prior to authentication, for example from compromised machines, botnets etc. Though failed connection attempts do not appear to be a significant issue, maybe better to add some safety net for the future.
The attached patch is proof of concept code that introduces the parameters rbl_check and rbl_check_timeout (msecs) to the protocol section. Tested for imap, pop3 and sieve. The following is an example for sieve.
protocol sieve { rbl_check = zen.spamhaus.net=127.0.0.4
rbl_check_timeout = 5000
}
If the lookup results in a hit the client is disconnected with a BYE "Disconnected for policy." message and the logs report:
Jun 09 12:00:56 server.example.com dovecot[977650]: managesieve-login: Disconnected: Policy (disconnected before auth was ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n
The patch also makes the number of pre-login errors and post-login errors configurable (max_login_command_errors and max_command_errors respectively) for pop3, imap and sieve protocols .
protocol sieve {
max_command_errors = 1 max_login_command_errors = 1
}
A potential extension to the logic would be "allow_nets" and "disallow_nets" parameters or maybe something more sophisticated to allow ips/networks that would otherwise be blocked or deny additional ips/networks.
John
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 09/06/2024 16:50 EEST John Fawcett via dovecot dovecot@dovecot.org wrote:
The files themselves didn't make it through the list server. I'll try with .txt
On 09/06/2024 15:42, John Fawcett via dovecot wrote:
Hi
Just in case this is useful more generally, I'm posting it to the list.
While Dovecot has an access control via allow_nets, it is a user database field that applies only at the authentication stage to deny access for the specific user when there is a connection attempt from an unauthorized ip for that user.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I don't believe there is anything that checks access at connect time to deny unwanted traffic prior to authentication, for example from compromised machines, botnets etc. Though failed connection attempts do not appear to be a significant issue, maybe better to add some safety net for the future.
The attached patch is proof of concept code that introduces the parameters rbl_check and rbl_check_timeout (msecs) to the protocol section. Tested for imap, pop3 and sieve. The following is an example for sieve.
protocol sieve { rbl_check = zen.spamhaus.net=127.0.0.4
rbl_check_timeout = 5000
}
If the lookup results in a hit the client is disconnected with a BYE "Disconnected for policy." message and the logs report:
Jun 09 12:00:56 server.example.com dovecot[977650]: managesieve-login: Disconnected: Policy (disconnected before auth was ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n
The patch also makes the number of pre-login errors and post-login errors configurable (max_login_command_errors and max_command_errors respectively) for pop3, imap and sieve protocols .
protocol sieve {
max_command_errors = 1 max_login_command_errors = 1
}
A potential extension to the logic would be "allow_nets" and "disallow_nets" parameters or maybe something more sophisticated to allow ips/networks that would otherwise be blocked or deny additional ips/networks.
John
How is this different than using weakforced which already supports rbl? Or doing this in auth lua?
Aki
On 09/06/2024 18:39, Aki Tuomi via dovecot wrote:
On 09/06/2024 16:50 EEST John Fawcett via dovecot dovecot@dovecot.org wrote:
The files themselves didn't make it through the list server. I'll try with .txt
On 09/06/2024 15:42, John Fawcett via dovecot wrote:
Hi
Just in case this is useful more generally, I'm posting it to the list.
While Dovecot has an access control via allow_nets, it is a user database field that applies only at the authentication stage to deny access for the specific user when there is a connection attempt from an unauthorized ip for that user.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I don't believe there is anything that checks access at connect time to deny unwanted traffic prior to authentication, for example from compromised machines, botnets etc. Though failed connection attempts do not appear to be a significant issue, maybe better to add some safety net for the future.
The attached patch is proof of concept code that introduces the parameters rbl_check and rbl_check_timeout (msecs) to the protocol section. Tested for imap, pop3 and sieve. The following is an example for sieve.
protocol sieve { rbl_check = zen.spamhaus.net=127.0.0.4
rbl_check_timeout = 5000
}
If the lookup results in a hit the client is disconnected with a BYE "Disconnected for policy." message and the logs report:
Jun 09 12:00:56 server.example.com dovecot[977650]: managesieve-login: Disconnected: Policy (disconnected before auth was ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n
The patch also makes the number of pre-login errors and post-login errors configurable (max_login_command_errors and max_command_errors respectively) for pop3, imap and sieve protocols .
protocol sieve {
max_command_errors = 1 max_login_command_errors = 1
}
A potential extension to the logic would be "allow_nets" and "disallow_nets" parameters or maybe something more sophisticated to allow ips/networks that would otherwise be blocked or deny additional ips/networks.
John
How is this different than using weakforced which already supports rbl? Or doing this in auth lua?
Hi Aki
I'm not that familiar with weakforced or auth lua, but I guess those intervene at the authentication stage, rather than the connection stage.
John
participants (2)
-
Aki Tuomi
-
John Fawcett