[exim] Dovecot style Authentication Policy Server for Exim?

Mon, 16 Mar 2020 17:59:28 -0700 

All,
Dovecot IMAP/POP3 server has a built-in Authentication Policy sub-system whereby it can make a web-services call to to an Authentication Policy Server: 

1.      command: on connect, before authentication
2.      command: on connect, after authentication
3.      report: on final outcome of policy + authentication


It would be "really good"(tm) if Exim could implement a similar 
concept/service/API as it would allow me to leverage GEOIP against 
possible attackers of some (protected) services and report back in to a 
common database of failed connections for (a) GEOIP policy or (b) 
username/password authentication failure.



I currently use GEOIP from the DBIP database on a local server with a 
bit of PHP I hacked together to satisfy the Dovecot web-services API via 
nginx on localhost in the server in question and its been enlightening 
to see  where requests are coming from...   It appears that I am 
currently receiving around 1500-2000 IMAP connects per day from botnets 
with half-valid/half-guessed credentials, for example:



| 24317 | 2020-03-16 17:40:02 | IMAP     | a...@example.com           | 
122.139.5.237                           | CN      |       0 
|             1 |
| 24323 | 2020-03-16 17:43:50 | IMAP     | stuart.car...@example.com  | 
60.171.116.44                           | CN      |       0 
|             1 |
| 24372 | 2020-03-16 18:15:21 | IMAP     | tina.sm...@example.com     | 
173.245.239.107                         | US      |       0 
|             1 |
| 24418 | 2020-03-16 18:49:31 | IMAP     | andy.sm...@example.com     | 
98.143.145.26                           | US      |       0 
|             1 |
| 24430 | 2020-03-16 18:54:02 | IMAP     | a...@example.com           | 
183.89.237.90                           | TH      |       0 
|             1 |
| 24447 | 2020-03-16 19:04:59 | IMAP     | andy.sm...@example.com     | 
60.171.155.26                           | CN      |       0 
|             1 |
| 24456 | 2020-03-16 19:10:05 | IMAP     | accou...@example.com       | 
171.103.43.70                           | TH      |       0 
|             1 |
| 24478 | 2020-03-16 19:28:39 | IMAP     | dirk.tay...@example.com    | 
113.21.116.29                           | NC      |       0 
|             1 |
| 24498 | 2020-03-16 19:43:25 | IMAP     | kime.da...@example.com     | 
45.224.105.50                           | AR      |       0 
|             1 |
| 24531 | 2020-03-16 20:06:47 | IMAP     | s...@example.com            | 
45.224.104.168                          | AR      |       0 
|             1 |
| 24549 | 2020-03-16 20:21:29 | IMAP     | s...@example.com            | 
218.189.15.187                          | HK      |       0 
|             1 |
| 24613 | 2020-03-16 21:02:02 | IMAP     | simon.jack...@example.com  | 
183.233.143.22                          | CN      |       0 
|             1 |
| 24623 | 2020-03-16 21:06:59 | IMAP     | andy.sm...@example.com     | 
221.228.242.13                          | CN      |       0 
|             1 |
| 24635 | 2020-03-16 21:13:10 | IMAP     | sam.har...@example.com     | 
200.31.28.219                           | EC      |       0 
|             1 |
| 24649 | 2020-03-16 21:20:32 | IMAP     | dirk.tay...@example.com    | 
202.171.77.194                          | NC      |       0 
|             1 |
| 24658 | 2020-03-16 21:26:57 | IMAP     | beni...@example.com        | 
45.224.105.82                           | AR      |       0 
|             1 |
| 24677 | 2020-03-16 21:37:09 | IMAP     | chris....@example.com      | 
61.136.81.154                           | CN      |       0 
|             1 |
| 24688 | 2020-03-16 21:46:24 | IMAP     | si...@example.com          | 
74.129.111.231                          | US      |       0 
|             1 |
| 24692 | 2020-03-16 21:48:04 | IMAP     | mike.da...@example.com     | 
66.110.216.19                           | US      |       0 
|             1 |
| 24700 | 2020-03-16 21:53:25 | IMAP     | mike-da...@example.com     | 
45.224.105.113                          | AR      |       0 
|             1 |
| 24706 | 2020-03-16 21:54:54 | IMAP     | sa...@example.com          | 
14.161.22.104                           | VN      |       0 
|             1 |
| 24707 | 2020-03-16 21:55:21 | IMAP     | mike-da...@example.com     | 
124.41.193.12                           | NP      |       0 
|             1 |
| 24724 | 2020-03-16 22:08:12 | IMAP     | tina.sm...@example.com     | 
80.210.26.154                           | IR      |       0 
|             1 |
| 24727 | 2020-03-16 22:09:34 | IMAP     | simon.jack...@example.com  | 
124.207.209.114                         | CN      |       0 
|             1 |
| 24775 | 2020-03-16 22:48:42 | IMAP     | a...@example.com           | 
221.229.247.179                         | CN      |       0 
|             1 |
| 24819 | 2020-03-16 23:23:06 | IMAP     | dirk.tay...@example.com    | 
220.164.2.90                            | CN      |       0 
|             1 |



in the above I have changed the usernames/domain names to protect the 
innocent, however the IP addresses and country codes are real. The last 
two columns booleans and are "auth success" and "country policy rejected"




While this log is for Dovecot, it would be really good (tm) if Exim 
could make similar call outs to an Authentication Policy Server, perhaps 
passing:


    1. Remote IP address (IPv4/IPv6)
    2. If the session is plain-text or upgraded to SSL/TLS
    3. Which SSL/TLS Cipher is in use
    4. The username presented at start of auth

    5. Some sort of hash of the password presented at auth - like 
Dovecor does




Has anyone implemented  a Dovecot-a-like authentication policy server 
for Exim



Mike



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to