[vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp
It doesn't matter how good your password is if you're using plaintext connections :) Since every MUA I've used i nthe last few years supports SSL or TLS I should really get around to deprecating pop3 and imap and only using pop3s and imaps. This is especially imporant since some govts are trying to push through laws forcing ISP's to store all of the data each of their users downloads meaning that your unencrypted data will remain stored for however long is legislated with access by who knows how many people. \Clay On 2014-03-05 07:57, Tom Collins wrote: The submission entries outside the US could very well be from hacked accounts. I'm finding a surprising number of compromised accounts (once a week?), including users with good passwords, so I have to assume they're snooped on public wireless, or their computers are compromised by malware of some sort. The vckpw-smtp entries from outside the US are probably also hacked accounts, since mail received from remote servers doesn't include authentication. Sorry I wasn't thinking clearly in my previous response -- I forgot these were vchkpw entries and are only related to authentication. I was thinking about qmail logs. -Tom On Mar 4, 2014, at 10:43 PM, LHTek wrote: Thanks for the reply. NOTE: None of my users will have sent anything from outside the US. I've got some log entries for vchkpw-submission (marked as successful in the log) with non-US IP's (Russia, Egypt, Honk Kong, etc). In my analysis I'm marking those entries as hacked accounts. From what I read from your response, vchkpw-smtp (marked as successful in the log) entries could be mail sent TO my server FROM another server on port 25. That tells me those are probably safe submissions - even if they are from overseas IPs. Am I thinking correctly? - FROM: Tom Collins t...@tomlogic.com TO: vchkpw@inter7.com SENT: Wednesday, March 5, 2014 12:02 AM SUBJECT: Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp vchkpw-submission is on port 587, and is typically used for emai clients relaying mail. It's often set up to require authentication. vchkpw-smtp is on port 25, and can be used for email clients to relay mail, or by other servers delivering mail to your server. -Tom On Mar 4, 2014, at 9:41 PM, LHTek wrote: In the /var/log/maillog file what is the difference between these 2 entries (vchkpw-submission, vchkpw-smtp)? example: Mar 4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login success t...@domain.com:64.185.3.238 Mar 4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success t...@domain.com:64.57.239.114 !DSPAM:53171ca934269165765629!
Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp
I am using PLAIN text passwords I'm afraid. I will be changing that now though. I very tired of these password hacks. Since this will be a new process for me I have questions: In changing the server to require encrypted passwords, will I need to contact all my clients and have them change the way they connect? Or will their email clients just automate the change? From: c...@milos.co.za c...@milos.co.za To: vchkpw@inter7.com Sent: Wednesday, March 5, 2014 6:45 AM Subject: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp It doesn't matter how good your password is if you're using plaintext connections :) Since every MUA I've used i nthe last few years supports SSL or TLS I should really get around to deprecating pop3 and imap and only using pop3s and imaps. This is especially imporant since some govts are trying to push through laws forcing ISP's to store all of the data each of their users downloads meaning that your unencrypted data will remain stored for however long is legislated with access by who knows how many people. \\Clay On 2014-03-05 07:57, Tom Collins wrote: The submission entries outside the US could very well be from hacked accounts. I'm finding a surprising number of compromised accounts (once a week?), including users with good passwords, so I have to assume they're snooped on public wireless, or their computers are compromised by malware of some sort. The vckpw-smtp entries from outside the US are probably also hacked accounts, since mail received from remote servers doesn't include authentication. Sorry I wasn't thinking clearly in my previous response -- I forgot these were vchkpw entries and are only related to authentication. I was thinking about qmail logs. -Tom On Mar 4, 2014, at 10:43 PM, LHTek wrote: Thanks for the reply. NOTE: None of my users will have sent anything from outside the US. I've got some log entries for vchkpw-submission (marked as successful in the log) with non-US IP's (Russia, Egypt, Honk Kong, etc).In my analysis I'm marking those entries as hacked accounts. From what I read from your response, vchkpw-smtp (marked as successful in the log) entries could be mail sent TO my server FROM another server on port 25. That tells me those are probably safe submissions - even if they are from overseas IPs. Am I thinking correctly? From: Tom Collins t...@tomlogic.com To: vchkpw@inter7.com Sent: Wednesday, March 5, 2014 12:02 AM Subject: Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp vchkpw-submission is on port 587, and is typically used for emai clients relaying mail. It's often set up to require authentication. vchkpw-smtp is on port 25, and can be used for email clients to relay mail, or by other servers delivering mail to your server. -Tom On Mar 4, 2014, at 9:41 PM, LHTek wrote: In the /var/log/maillog file what is the difference between these 2 entries (vchkpw-submission, vchkpw-smtp)? example: Mar 4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login success t...@domain.com:64.185.3.238 Mar 4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success t...@domain.com:64.57.239.114 !DSPAM:531743f234265098613353!
[vchkpw] Re: [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp
PLAIN authentication is ok, provided that TLS has been activated by the client (presumably before credentials are sent) or SSL is in use (unconventional 465 port). In changing this, each client will need to be manually reconfigured. I'm not aware of any client that automatically adjusts to changes such as this. I'm not aware of a practical way to require encrypted passwords for qmail-smtpd (whether on port 25 or 587) at this point. Spamdyke has a recent feature allowing it to handle authentication, and I believe that Sam will be adding a setting to require encryption before authentication in the next release. When that's available, I'll be changing QMT to use spamdyke for authentication, which will (at last) allow for enforcement of this policy (no passwords sent in clear text). On the retrieval side of things, dovecot provides such a configuration parameter, #disable_plaintext_auth = yes, which is the default value. P.S. FWIW, I would have not expected to see (as many) unauthorized attempts on port 587. Spammers will eventually use this port though. -- -Eric 'shubes' On 03/05/2014 08:34 AM, LHTek wrote: I am using PLAIN text passwords I'm afraid. I will be changing that now though. I very tired of these password hacks. Since this will be a new process for me I have questions: In changing the server to require encrypted passwords, will I need to contact all my clients and have them change the way they connect? Or will their email clients just automate the change? *From:* c...@milos.co.za c...@milos.co.za *To:* vchkpw@inter7.com *Sent:* Wednesday, March 5, 2014 6:45 AM *Subject:* [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp It doesn't matter how good your password is if you're using plaintext connections :) Since every MUA I've used i nthe last few years supports SSL or TLS I should really get around to deprecating pop3 and imap and only using pop3s and imaps. This is especially imporant since some govts are trying to push through laws forcing ISP's to store all of the data each of their users downloads meaning that your unencrypted data will remain stored for however long is legislated with access by who knows how many people. \\Clay On 2014-03-05 07:57, Tom Collins wrote: The submission entries outside the US could very well be from hacked accounts. I'm finding a surprising number of compromised accounts (once a week?), including users with good passwords, so I have to assume they're snooped on public wireless, or their computers are compromised by malware of some sort. The vckpw-smtp entries from outside the US are probably also hacked accounts, since mail received from remote servers doesn't include authentication. Sorry I wasn't thinking clearly in my previous response -- I forgot these were vchkpw entries and are only related to authentication. I was thinking about qmail logs. -Tom On Mar 4, 2014, at 10:43 PM, LHTek wrote: Thanks for the reply. NOTE: None of my users will have sent anything from outside the US. I've got some log entries for vchkpw-submission (marked as successful in the log) with non-US IP's (Russia, Egypt, Honk Kong, etc).In my analysis I'm marking those entries as hacked accounts. From what I read from your response, vchkpw-smtp (marked as successful in the log) entries could be mail sent TO my server FROM another server on port 25. That tells me those are probably safe submissions - even if they are from overseas IPs. Am I thinking correctly? *From:* Tom Collins t...@tomlogic.com mailto:t...@tomlogic.com *To:* vchkpw@inter7.com mailto:vchkpw@inter7.com *Sent:* Wednesday, March 5, 2014 12:02 AM *Subject:* Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp vchkpw-submission is on port 587, and is typically used for emai clients relaying mail. It's often set up to require authentication. vchkpw-smtp is on port 25, and can be used for email clients to relay mail, or by other servers delivering mail to your server. -Tom On Mar 4, 2014, at 9:41 PM, LHTek wrote: In the /var/log/maillog file what is the difference between these 2 entries (vchkpw-submission, vchkpw-smtp)? example: Mar 4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login success t...@domain.com:64.185.3.238 Mar 4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success t...@domain.com:64.57.239.114 !DSPAM:531756ed34261630194476!
[vchkpw] [SPAM] Re: [vchkpw] [SPAM] Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp
The submission entries outside the US could very well be from hacked accounts. I'm finding a surprising number of compromised accounts (once a week?), including users with good passwords, so I have to assume they're snooped on public wireless, or their computers are compromised by malware of some sort. The vckpw-smtp entries from outside the US are probably also hacked accounts, since mail received from remote servers doesn't include authentication. Sorry I wasn't thinking clearly in my previous response -- I forgot these were vchkpw entries and are only related to authentication. I was thinking about qmail logs. -Tom On Mar 4, 2014, at 10:43 PM, LHTek wrote: Thanks for the reply. NOTE: None of my users will have sent anything from outside the US. I've got some log entries for vchkpw-submission (marked as successful in the log) with non-US IP's (Russia, Egypt, Honk Kong, etc). In my analysis I'm marking those entries as hacked accounts. From what I read from your response, vchkpw-smtp (marked as successful in the log) entries could be mail sent TO my server FROM another server on port 25. That tells me those are probably safe submissions - even if they are from overseas IPs. Am I thinking correctly? From: Tom Collins t...@tomlogic.com To: vchkpw@inter7.com Sent: Wednesday, March 5, 2014 12:02 AM Subject: Re: [vchkpw] Qmail maillog vchkpw-submission vs vchkpw-smtp vchkpw-submission is on port 587, and is typically used for emai clients relaying mail. It's often set up to require authentication. vchkpw-smtp is on port 25, and can be used for email clients to relay mail, or by other servers delivering mail to your server. -Tom On Mar 4, 2014, at 9:41 PM, LHTek wrote: In the /var/log/maillog file what is the difference between these 2 entries (vchkpw-submission, vchkpw-smtp)? example: Mar 4 17:27:03 michael vpopmail[14701]: vchkpw-submission: (PLAIN) login success t...@domain.com:64.185.3.238 Mar 4 10:54:42 michael vpopmail[29027]: vchkpw-smtp: (PLAIN) login success t...@domain.com:64.57.239.114 !DSPAM:5316cae034263249811152!