Strategies for protecting IMAP (e.g. MFA)

André Rodier andre at rodier.me
Sun Nov 14 18:08:18 UTC 2021


On 14/11/2021 18:03, Lefteris Tsintjelis wrote:
> On 14/11/2021 14:50, Kees van Vloten wrote:
>>
>> Apart from a really nice firewall firehol also supplies a good set of 
>> ip-blacklists.
>>
>> For public exposure of email ports, I am using the combination of 
>> firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on 
>> geo-ip. The mail-client ports exposed are 993 and 465, because 
>> starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
>>
>> Full access from any IP (except firehol-blacklist and fail2ban) is 
>> possible over VPN (openvpn) with MFA (privacyidea).
>> Privacyidea also supplies a mobile-app compatible with a.o. TOTP and 
>> HOTP but it provides a more secure way of enrollment (2-step).
>>
>> Thanks for pointing at crowdsec.net, will see if it can tighten 
>> security further in cooperation with the above.
>>
>> - Kees
> 
> The problem I faced over the years, with so many IPs, was that the black 
> listing way would reach its limits at some point. Using the classic 
> fail2ban expiration dates and method, over time, never actually manages 
> to get rid of them as they keep on trying and trying. I needed to expand 
> the blacklist expiration time limits way high but that reached firewall 
> limitations so I personally switched to a permanent white list 
> firewalling, as I could do that, and it really got rid of a lot of my 
> headaches with just about all my public services.
> 
> Black listing would work in case of central dedicated anf large 
> firewalls but for smaller solutions I think country white listing 
> firewall is far better method.
> 
> What would also be interesting is something similar to the spamcop 
> combined with crowdsec reporting system so that it can be used to 
> effectively analyze and reduce all those bots.
> 
> The Spamhouse DROP list would also be a good permanent black list 
> addition to any border routers or stand alone public services.
> 
> https://www.spamhaus.org/drop/

Perhaps I was not clear in my last message. Have a look to this 
documentation:

https://homebox.readthedocs.io/en/latest/email-access-monitoring/

I am available if you have any question to implement something similar 
yourself. Extending the system to add a second factor authentication is 
probably easy enough.

Kind regards,
André

-- 
𝓐𝓡 - André Rodier


More information about the dovecot mailing list