Mail account brute force / harassment
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Apr 12 19:49:26 EEST 2019
> On 12 April 2019 18:11 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote:
>
>
> > Probably there's an existing solution for both problems (subsequent
> > attempts and dnsbl):
> >
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=stCCTTs65S9mjT4ITx-MfXyqnP1M0FoOlvIsEA-iwdQ&e=
> >
> > It was also discussed recently on this list:
> >
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dovecot.org_list_dovecot_2019-2DMarch_114921.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=F_MZgSGFbhEPpQAsxd5uZPK_fbOBWgG4SIvzIXCWC1U&e=
> >
> >
> > Has already been on my personal todo list for some time, so I have no
> > experience how (good) it actually works.
>
> That was a thread I started. I got wforce to work. However the "reporting IP" in the logs always shows as 127.0.0.1, so I risk banning myself. Here's the log entry:
> Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
>
> I've tried setting auth_policy_server_url to examples such as:
> * auth_policy_server_url = http://localhost:8084/
> * auth_policy_server_url = http://0.0.0.0:8084/
> * auth_policy_server_url = https://ourdomain.edu:8084/
> in the custom config file for wforce and the rip (reporting IP, e.g., Apr 12 10:06:10 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=OWoLzlWGDrh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=47118 resp=<hidden>) is either 127.0.0.1 or ourdomain.edu (http://ourdomain.edu).
You are running some kind of proxy in front of it. If you want it to show real client IP, you need to enable forwarding of said data. With dovecot it's done by setting
login_trusted_networks = your-upstream-host-or-net
in backend config file.
For webmails, this requires both login_trusted_networks and also support from the webmail software to forward client IP.
Aki
More information about the dovecot
mailing list