Sadly not all MUAs implement ClientID either. Easiest way to implement 2FA on email, is to have a webpage, where you login with your 2FA token. When you have done that, the IP to visit that webpage is written to the account's authorized IP list. For user friendliness, you could save, lets say the 10 latest IPs used to access that webpage.
Those 10 IPs are authorized to authenticate to submission and IMAP for that particular account. So if some user is locked out due to their IP not being accepted, he just have to surf to lets say: 2fa.example.org and use their 2fa token. Once they done that, their login will be approved. About open proxies, they of course need to know which country they should "fake". If its account based, they need to find out which country that account was created in. So it still reduces attack surface pretty much. -----Ursprungligt meddelande----- Från: Michael Peddemors via mailop <[email protected]> Skickat: den 25 juli 2023 17:01 Till: [email protected] Ämne: Re: [mailop] I Need someone from AOL and/or Yahoo to contact me And consider an RBL that tracks IPs used in authentication attacks, like RATS-AUTH, RATS-NULL from SpamRats.. And you might consider your policies on allowing connections from open proxies as well in the interm.. given the amount of hackers that use that to bypass country authentication restrictions. But at the end of the day, you need transparent 2FA.. there are a few people now implementing the CLIENTID for that.. On 2023-07-24 10:35, Sebastian Nielsen via mailop wrote: > Also on the topic on mail server hacking, I would suggest to add > IP-restriction on your mail accounts. > > Theres 2 ways to include IP-restrictions in Exim: > > The easiest one, is to simply lock out authentication for all > unauthorized IPs (Or simply block in firewall so unauthorized IPs cannot > even contact the submission port). > > To lock out authentication, use “auth_advertise_hosts” and set to a list > of IPs or CIDR ranges that are permitted to login to your server. > > The more complicated one, is to keep a IP-record for every email account > or even a CIDR (like /24) and use a custom authenticator, which also > checks the IP-number so username + password + IP must match before > access is granted. > > You can also choose to lock to country by using Geo-IP. So when a user > on your email system logs in first time, his field “Country” is set to > the GeoIP of {IP}. > > Next time he logs on, you simply check in a custom authenticator so > GeoIP of {IP} is equal to the “Country” field in database. > > That should fix your problem pretty good, since any type of IP > restriction or Country restriction will reduce the attack surface > substationally. > > *Från:* Ken Robinson via mailop <[email protected]> > *Skickat:* den 24 juli 2023 02:50 > *Till:* mailop <[email protected]> > *Ämne:* [mailop] I Need someone from AOL and/or Yahoo to contact me > > Last Friday two email addresses on my server with weak passwords were > discovered and used to send thousands of spam messages. By the time I > discovered the problem (it happened when I was asleep and I discovered > it a few hours after), my server was getting blocked by spam lists. > This is affecting mailing lists that run on the server. Both AOL and > Yahoo don't bounce the message, but they end up in the Spam mailboxes. > If they had bounced, I could have reached out sooner. > > Ken Robinson > > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
