[Dovecot] Blocking certain hostnames/clients
Hello,
As a result of learning of the new 'Intro' App introduced by LinkedIn, and discussing how to block SMTP access to my postfix server from these clients, I'm now interested in doing the same for dovecot.
Bottom line desire is to avoid scraping/hijacking email stored on my dovecot server by any client other than a users client.
This includes Intro (so, LinkedIn), Blackberry, GMail, Outlook, etc.
The boss has expressed the desire to NOT block all email from them, just disallow any of their clients from AUTH'ing (either SMTP or IMAP/POP).
I'd be interested if anyone has any kind of database of hostnames/IP blocks of the freemailers out there that support adding 3rd party accounts, especially ones supporting IMAP.
Anyway, article raising the concern found here:
http://www.bishopfox.com/blog/2013/10/linkedin-intro/
"LinkedIn released a new product today called Intro. They call it ?doing the impossible?, but some might call it ?hijacking email?. Why do we say this? Consider the following:
Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn?s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn?s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to?whatever they feel like."
--
Best regards,
*/Charles/*
On 10/27/2013 1:21 PM, Charles Marcus wrote:
Bottom line desire is to avoid scraping/hijacking email stored on my dovecot server by any client other than a users client.
I don't think IMAP has a "client identification" component in its protocol, at least one that's in widespread and "compatible" use. So you're stuck with IP/hostname-based ACLs or perhaps something more "forensic" that does analysis of how those clients access mail and tailor a countermeasure accordingly.
Of course, blackholing all of the offending IP#s is an option, but I suspect it will be a bit "whack-a-mole".
=R=
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 27 Oct 2013, Charles Marcus wrote:
As a result of learning of the new 'Intro' App introduced by LinkedIn, and discussing how to block SMTP access to my postfix server from these clients, I'm now interested in doing the same for dovecot.
Reading the description, I would say: No valid user would AUTH into your IMAP server, so block those LinkedIn-IP addresses for all ports, but plain old 25. No need to fiddle in Dovecot and you'll save resources.
If you want to log them as incidents, you might look into:
# Most (but not all) settings can be overridden by different protocols and/or # source/destination IPs by placing the settings inside sections, for example: # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
put a user-deny passdb {} in a remote { } block at the 1st place. However, I don't know if this works, though.
The boss has expressed the desire to NOT block all email from them, just disallow any of their clients from AUTH'ing (either SMTP or IMAP/POP).
would work, if you block all ports, but 25, from these IPs.
I'd be interested if anyone has any kind of database of hostnames/IP blocks of the freemailers out there that support adding 3rd party accounts, especially ones supporting IMAP.
This does not read like a freemail, but just a gateway.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUm5r313r2wJMiz2NAQLUJwf+LWQVx4rJrcrmspDT4K1BnZTKIV7mS62e 2L/3TwYSGic6SzAUbQR25DYZDOaBnsOdlk2MND1fRq8mRNXTjPKGiGUHRQ5qC+qA WE3+zixXObD2/YFiH8NjAXy3waURhoYXkGdfNbiMfJoaVpwi2KtSQTWFD5WtEyvm TuyQP0UFpRiM87c9g6M634/lNiUKUK3m65s02dkJxcfEf7SQVpRESjKOtyys2hm3 gx9hgphWsZpaBYGhzs9q7nydy2WyYgLvreBtugid5YhHmTGB2YkUnNqe57jt0iAM C/CioVSZkJrTJ40ja4BO1iYifkxHmdo2ar88w4adnzWUsMEInQZrDQ== =lLXQ -----END PGP SIGNATURE-----
participants (3)
-
Charles Marcus
-
Robin
-
Steffen Kaiser