Strategies for protecting IMAP (e.g. MFA)

Michael Peddemors michael at linuxmagic.com
Sun Nov 14 16:12:53 UTC 2021


On 2021-11-14 7:55 a.m., Lefteris Tsintjelis wrote:
> On 13/11/2021 23:16, Tyler Montney wrote:
>> With the world of ransomware as it is today (aka attacks seem more 
>> vicious and commonplace), anything I expose to WAN must have 
>> additional protection. I've seen a few posts to this list on it. The 
>> only thing that helped was that Dovecot supports OAuth. Through OAuth 
>> I figure I could implement MFA. However, I'd have to host my own 
>> identity server.  From there, Thunderbird supports OAuth so that 
>> should work.
>>
>> Since this is getting increasingly complicated, I wanted to ask before 
>> going further. What do you all do? Any recommendations?
> 
> May also consider black listing, or even better, white listing country 
> IPs. A white list firewall, if you only have to deal with certain 
> country for example, will also work extremely well and it is quite easy 
> to maintain and update as well as simple and fast and very effective.
> 
> And if you need sporadically to use it outside your white listing, VPN 
> works great.

Our threat teams do a lot of work around IMAP threats, and a couple of 
things to note.. there is a marked increase of IMAP attackers using 
cloud infrastructure for IMAP hacks..

You might ask the question, do you need to allow IMAP access from the 
cloud, or do you expect only email clients to access them.

If the later, consider blocking AWS, GoogleCloud, Azure from connecting 
to your IMAP.  Note, it may affect certain VPN anonymizers, or Desk Top 
in the Cloud, but in general given the predilection of certain hacking 
groups for those, you might like to control that.

And there are RBL's now for know IP(s) used by IMAP hackers, including 
SpamRats RATS-AUTH that can assist in reducing those attacks.

And for 'some' IMAP operators, country AUTH blocking might be valuable. 
  Of course, you have to consider your users, and what they can do when 
traveling or vacationing.  A step forward, is to do country AUTH 
blocking, and insist they use a email client which supports MFA when 
traveling, or force them to use webmail.

Of course, transparent 2FA is the way to go in the long run.
Time to update that pull request, so that plugins can dynamically 
control CAPABILITY advertisements.


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.


More information about the dovecot mailing list