Mail account brute force / harassment
Robert Kudyba
rkudyba at fordham.edu
Fri Apr 12 22:01:30 EEST 2019
>
> > On 12 April 2019 21:45 Robert Kudyba via dovecot <dovecot at dovecot.org>
> wrote:
> >
> >
> > > You are running some kind of proxy in front of it.
> >
> > No proxy. Just sendmail with users using emacs/Rmail or
> Webmail/Squirrelmail.
> >
> > > If you want it to show real client IP, you need to enable forwarding
> of said data. With dovecot it's done by setting
> > >
> > > login_trusted_networks = your-upstream-host-or-net
> > >
> > > in backend config file.
> >
> > OK I changed it and restarted wforce and dovecot. Still seeing this:
> > Apr 12 14:38:55 auth: Debug:
> policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON:
> {"device_id":"","login":"
> ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
> >
> > > For webmails, this requires both login_trusted_networks and also
> support from the webmail software to forward client IP.
> >
> > I did get a reply from the Squirrelmail list:
> > "Well, I've had code sitting around for a while that implements RFC2971
> (ID command), so I just committed it. You can use it for this purpose by
> putting something like this into your config/config_local.php
> > $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');"
> >
> > Which I also added previously. But that doesn't address emacs/RMail
> users.
> >
> > Could there be a setting in sendmail.mc/cf (
> https://urldefense.proofpoint.com/v2/url?u=http-3A__sendmail.mc_cf&d=DwICaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=CsaMqvBelGXz-_ClT0RDzwqz0tH3cTGNItJktQeULLs&s=JnUd5ej3Twniz2q3fiWUrV_qOFlAwvFHquFjfgsoQJ0&e=)
> file that I'm missing?
>
> Can you verify following?
>
> doveconf auth_policy_request_attributes
>
> auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>
> On some versions remote is mistakenly %{real_rip} which expands into where
> the connection came from instead of client IP.
>
> If it's wrong just feel free to copypaste the setting above into dovecot
> config.
>
Verified. I believe you told me that on the other thread and I made that
change a while back.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190412/f28b1aae/attachment.html>
More information about the dovecot
mailing list