All,

Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system whereby it can make a web-services call to to an Authentication Policy Server:

1.      command: on connect, before authentication
2.      command: on connect, after authentication
3.      report: on final outcome of policy + authentication

It would be "really good"(tm) if Exim could implement a similar concept/service/API as it would allow me to leverage GEOIP against possible attackers of some (protected) services and report back in to a common database of failed connections for (a) GEOIP policy or (b) username/password authentication failure.

I currently use GEOIP from the DBIP database on a local server with a bit of PHP I hacked together to satisfy the Dovecot web-services API via nginx on localhost in the server in question and its been enlightening to see  where requests are coming from...   It appears that I am currently receiving around 1500-2000 IMAP connects per day from botnets with half-valid/half-guessed credentials, for example:

| 24317 | 2020-03-16 17:40:02 | IMAP     | a...@example.com           | 122.139.5.237                           | CN      |       0 |             1 | | 24323 | 2020-03-16 17:43:50 | IMAP     | stuart.car...@example.com  | 60.171.116.44                           | CN      |       0 |             1 | | 24372 | 2020-03-16 18:15:21 | IMAP     | tina.sm...@example.com     | 173.245.239.107                         | US      |       0 |             1 | | 24418 | 2020-03-16 18:49:31 | IMAP     | andy.sm...@example.com     | 98.143.145.26                           | US      |       0 |             1 | | 24430 | 2020-03-16 18:54:02 | IMAP     | a...@example.com           | 183.89.237.90                           | TH      |       0 |             1 | | 24447 | 2020-03-16 19:04:59 | IMAP     | andy.sm...@example.com     | 60.171.155.26                           | CN      |       0 |             1 | | 24456 | 2020-03-16 19:10:05 | IMAP     | accou...@example.com       | 171.103.43.70                           | TH      |       0 |             1 | | 24478 | 2020-03-16 19:28:39 | IMAP     | dirk.tay...@example.com    | 113.21.116.29                           | NC      |       0 |             1 | | 24498 | 2020-03-16 19:43:25 | IMAP     | kime.da...@example.com     | 45.224.105.50                           | AR      |       0 |             1 | | 24531 | 2020-03-16 20:06:47 | IMAP     | s...@example.com            | 45.224.104.168                          | AR      |       0 |             1 | | 24549 | 2020-03-16 20:21:29 | IMAP     | s...@example.com            | 218.189.15.187                          | HK      |       0 |             1 | | 24613 | 2020-03-16 21:02:02 | IMAP     | simon.jack...@example.com  | 183.233.143.22                          | CN      |       0 |             1 | | 24623 | 2020-03-16 21:06:59 | IMAP     | andy.sm...@example.com     | 221.228.242.13                          | CN      |       0 |             1 | | 24635 | 2020-03-16 21:13:10 | IMAP     | sam.har...@example.com     | 200.31.28.219                           | EC      |       0 |             1 | | 24649 | 2020-03-16 21:20:32 | IMAP     | dirk.tay...@example.com    | 202.171.77.194                          | NC      |       0 |             1 | | 24658 | 2020-03-16 21:26:57 | IMAP     | beni...@example.com        | 45.224.105.82                           | AR      |       0 |             1 | | 24677 | 2020-03-16 21:37:09 | IMAP     | chris....@example.com      | 61.136.81.154                           | CN      |       0 |             1 | | 24688 | 2020-03-16 21:46:24 | IMAP     | si...@example.com          | 74.129.111.231                          | US      |       0 |             1 | | 24692 | 2020-03-16 21:48:04 | IMAP     | mike.da...@example.com     | 66.110.216.19                           | US      |       0 |             1 | | 24700 | 2020-03-16 21:53:25 | IMAP     | mike-da...@example.com     | 45.224.105.113                          | AR      |       0 |             1 | | 24706 | 2020-03-16 21:54:54 | IMAP     | sa...@example.com          | 14.161.22.104                           | VN      |       0 |             1 | | 24707 | 2020-03-16 21:55:21 | IMAP     | mike-da...@example.com     | 124.41.193.12                           | NP      |       0 |             1 | | 24724 | 2020-03-16 22:08:12 | IMAP     | tina.sm...@example.com     | 80.210.26.154                           | IR      |       0 |             1 | | 24727 | 2020-03-16 22:09:34 | IMAP     | simon.jack...@example.com  | 124.207.209.114                         | CN      |       0 |             1 | | 24775 | 2020-03-16 22:48:42 | IMAP     | a...@example.com           | 221.229.247.179                         | CN      |       0 |             1 | | 24819 | 2020-03-16 23:23:06 | IMAP     | dirk.tay...@example.com    | 220.164.2.90                            | CN      |       0 |             1 |

in the above I have changed the usernames/domain names to protect the innocent, however the IP addresses and country codes are real. The last two columns booleans and are "auth success" and "country policy rejected"


While this log is for Dovecot, it would be really good (tm) if Exim could make similar call outs to an Authentication Policy Server, perhaps passing:

    1. Remote IP address (IPv4/IPv6)
    2. If the session is plain-text or upgraded to SSL/TLS
    3. Which SSL/TLS Cipher is in use
    4. The username presented at start of auth
    5. Some sort of hash of the password presented at auth - like Dovecor does


Has anyone implemented  a Dovecot-a-like authentication policy server for Exim


Mike



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to