Those customers with machines bolted to desks usually use the mail
server of their Internet supplier - via port 25 and with no authentication.
The main reason I have a Port 587 server with authentication is because
I appear to have a large portion of nomadic users. Some customers seem
to be very well travelled, going to places like China, USA and Europe
including Russia. GeoBlocking would be a bad idea.
I have a small operation from European standards, I run just over 1500
domains. A few are quite large with 100's of users, others have 10 or so
mail accounts. Only a few have SPF records - as and when all users from
that domain use my port 587 relay mail server.
On 2019/02/19 21:28, Sebastian Nielsen via Exim-users wrote:
The idea is not to build a 100% foolproof solution.
The idea is to limit the attack surface.
Lets say you have 3 users with really crappy passwords:
Username | Password | First login
Postmaster : retsamtsoP : USA
GoodUser : Password123 : Germany
AnotherUser : qwertyuiop : Denmark
Now lets say you implement my suggestion. A bot from china or russia will
never be able to crack those accounts, because the GeoIP will fail the
authentication, so even with correct username/password those accounts will
still say failed.
Even if they do a long shot and use a TOR node or VPN from USA, they will
still only have a chance against the Postmaster account, nothing else.
So you greatly limit the attack surface, since the attacker must "be" in the
same region as the attacked account to even have an chance to succeed.
That there is some false positives doesn't matter, because those people must
still have the real account name and password to succeed, and they must know
which accounts that are really geoIPt to that country.
If all users are in the same country, you simply geoIP in the firewall, and
then the port 587 will be closed and invisible for every hosts except from
the right country, so bots that are scanning large IP series will just skip
over your server.
-----Ursprungligt meddelande-----
Från: Exim-users <[email protected]> För Niels
Dettenbach via Exim-users
Skickat: den 19 februari 2019 20:00
Till: [email protected]; Sebastian Nielsen <[email protected]>
Kopia: 'Odhiambo Washington' <[email protected]>
Ämne: Re: [exim] Spam though my server
Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via
Exim-users:
Most better firewalls do have an built-in country/GeoIP database, if not,
you can easily add one.
GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of
a IP address. It offers only a "probably in this country" info in context of
a
IP address (user). This means the amount of false positives in practice is
significant, except if users came from "known" AS networks or RIR
assignmenets
/ route info. So this may (!) help/work in small and/or very defined network
topologies.
I know the situation in germany is a bit different, as the internet topology
/
"market" is very "centralized" here, but even in germany many less kown IP
access products / services available get "geo-resolved" over other (usually
western) countries / regions by GeoIP (even the commercial version).
I know from many african and asian Mail Providers who use "US", "european"
or
"canadian" IPs for their service to get around "problems" with such Geo-
blocking solutions.
Proper geolocation of IPs is a "science by itself", but still far from
reliable. Many brute force attack attempts against our exim systems
(germany+luxembourg) are currently coming from france and germany today.
For smaller systems, solutions like fail2ban could help "far":
https://www.fail2ban.org/wiki/index.php/Exim
But even here: Be aware of possible "bad cases" where i.e. larger NAT
networks "use" the service and "sloppy" user clients generate false
positives.
Beside Exim functionality (see Exim DOS prevention - incl. resource
"reserve"
subsystem) firewall rules to slow out "to much" of new initiated sessions
within a time window could help. But brute force attackes are normal / usual
on larger SMTP services today - important is to make it difficult to prevent
any success of such attackes (even distributed ones) and "DOS effects" of
them
and similiar attackes.
good luck,
niels.
--
Mark James ELKINS - Posix Systems - (South) Africa
[email protected] Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
