All,
Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system
whereby it can make a web-services call to to an Authentication Policy
Server:
1. command: on connect, before authentication
2. command: on connect, after authentication
3. report: on final outcome of policy + authentication
It would be "really good"(tm) if Exim could implement a similar
concept/service/API as it would allow me to leverage GEOIP against
possible attackers of some (protected) services and report back in to a
common database of failed connections for (a) GEOIP policy or (b)
username/password authentication failure.
I currently use GEOIP from the DBIP database on a local server with a
bit of PHP I hacked together to satisfy the Dovecot web-services API via
nginx on localhost in the server in question and its been enlightening
to see where requests are coming from... It appears that I am
currently receiving around 1500-2000 IMAP connects per day from botnets
with half-valid/half-guessed credentials, for example:
| 24317 | 2020-03-16 17:40:02 | IMAP | a...@example.com |
122.139.5.237 | CN | 0
| 1 |
| 24323 | 2020-03-16 17:43:50 | IMAP | stuart.car...@example.com |
60.171.116.44 | CN | 0
| 1 |
| 24372 | 2020-03-16 18:15:21 | IMAP | tina.sm...@example.com |
173.245.239.107 | US | 0
| 1 |
| 24418 | 2020-03-16 18:49:31 | IMAP | andy.sm...@example.com |
98.143.145.26 | US | 0
| 1 |
| 24430 | 2020-03-16 18:54:02 | IMAP | a...@example.com |
183.89.237.90 | TH | 0
| 1 |
| 24447 | 2020-03-16 19:04:59 | IMAP | andy.sm...@example.com |
60.171.155.26 | CN | 0
| 1 |
| 24456 | 2020-03-16 19:10:05 | IMAP | accou...@example.com |
171.103.43.70 | TH | 0
| 1 |
| 24478 | 2020-03-16 19:28:39 | IMAP | dirk.tay...@example.com |
113.21.116.29 | NC | 0
| 1 |
| 24498 | 2020-03-16 19:43:25 | IMAP | kime.da...@example.com |
45.224.105.50 | AR | 0
| 1 |
| 24531 | 2020-03-16 20:06:47 | IMAP | s...@example.com |
45.224.104.168 | AR | 0
| 1 |
| 24549 | 2020-03-16 20:21:29 | IMAP | s...@example.com |
218.189.15.187 | HK | 0
| 1 |
| 24613 | 2020-03-16 21:02:02 | IMAP | simon.jack...@example.com |
183.233.143.22 | CN | 0
| 1 |
| 24623 | 2020-03-16 21:06:59 | IMAP | andy.sm...@example.com |
221.228.242.13 | CN | 0
| 1 |
| 24635 | 2020-03-16 21:13:10 | IMAP | sam.har...@example.com |
200.31.28.219 | EC | 0
| 1 |
| 24649 | 2020-03-16 21:20:32 | IMAP | dirk.tay...@example.com |
202.171.77.194 | NC | 0
| 1 |
| 24658 | 2020-03-16 21:26:57 | IMAP | beni...@example.com |
45.224.105.82 | AR | 0
| 1 |
| 24677 | 2020-03-16 21:37:09 | IMAP | chris....@example.com |
61.136.81.154 | CN | 0
| 1 |
| 24688 | 2020-03-16 21:46:24 | IMAP | si...@example.com |
74.129.111.231 | US | 0
| 1 |
| 24692 | 2020-03-16 21:48:04 | IMAP | mike.da...@example.com |
66.110.216.19 | US | 0
| 1 |
| 24700 | 2020-03-16 21:53:25 | IMAP | mike-da...@example.com |
45.224.105.113 | AR | 0
| 1 |
| 24706 | 2020-03-16 21:54:54 | IMAP | sa...@example.com |
14.161.22.104 | VN | 0
| 1 |
| 24707 | 2020-03-16 21:55:21 | IMAP | mike-da...@example.com |
124.41.193.12 | NP | 0
| 1 |
| 24724 | 2020-03-16 22:08:12 | IMAP | tina.sm...@example.com |
80.210.26.154 | IR | 0
| 1 |
| 24727 | 2020-03-16 22:09:34 | IMAP | simon.jack...@example.com |
124.207.209.114 | CN | 0
| 1 |
| 24775 | 2020-03-16 22:48:42 | IMAP | a...@example.com |
221.229.247.179 | CN | 0
| 1 |
| 24819 | 2020-03-16 23:23:06 | IMAP | dirk.tay...@example.com |
220.164.2.90 | CN | 0
| 1 |
in the above I have changed the usernames/domain names to protect the
innocent, however the IP addresses and country codes are real. The last
two columns booleans and are "auth success" and "country policy rejected"
While this log is for Dovecot, it would be really good (tm) if Exim
could make similar call outs to an Authentication Policy Server, perhaps
passing:
1. Remote IP address (IPv4/IPv6)
2. If the session is plain-text or upgraded to SSL/TLS
3. Which SSL/TLS Cipher is in use
4. The username presented at start of auth
5. Some sort of hash of the password presented at auth - like
Dovecor does
Has anyone implemented a Dovecot-a-like authentication policy server
for Exim
Mike
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/