Mail account brute force / harassment

Aki Tuomi aki.tuomi at open-xchange.com
Fri Apr 12 19:49:26 EEST 2019 

> On 12 April 2019 18:11 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote:
> 
> 
> > Probably there's an existing solution for both problems (subsequent 
> >  attempts and dnsbl):
> >  
> >  > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=stCCTTs65S9mjT4ITx-MfXyqnP1M0FoOlvIsEA-iwdQ&e=
> >  
> >  It was also discussed recently on this list:
> >  
> >  > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dovecot.org_list_dovecot_2019-2DMarch_114921.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=F_MZgSGFbhEPpQAsxd5uZPK_fbOBWgG4SIvzIXCWC1U&e=
> >  
> >  
> >  Has already been on my personal todo list for some time, so I have no 
> >  experience how (good) it actually works.
> 
> That was a thread I started. I got wforce to work. However the "reporting IP" in the logs always shows as 127.0.0.1, so I risk banning myself. Here's the log entry:
> Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
> 
> I've tried setting auth_policy_server_url to examples such as:
>   * auth_policy_server_url = http://localhost:8084/
>   * auth_policy_server_url = http://0.0.0.0:8084/
>   * auth_policy_server_url = https://ourdomain.edu:8084/
> in the custom config file for wforce and the rip (reporting IP, e.g., Apr 12 10:06:10 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=OWoLzlWGDrh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=47118 resp=<hidden>) is either 127.0.0.1 or ourdomain.edu (http://ourdomain.edu).

You are running some kind of proxy in front of it. If you want it to show real client IP, you need to enable forwarding of said data. With dovecot it's done by setting

login_trusted_networks = your-upstream-host-or-net

in backend config file.

For webmails, this requires both login_trusted_networks and also support from the webmail software to forward client IP.

Aki

More information about the dovecot mailing list