On 03.11.21 05:59, btell...@linagora.com wrote: > Hello Tung, > > Thanks for the feedback. > > On 03/11/2021 11:24, Tung Tran Van wrote: >> Hello Otto, >> Very interesting, >> >>> Delay on authentication failure (S) >> I will follow how it will be implemented. Right now, I think about Redis >> with expire time key-value, with key is the fingerprint of the client. >> > I think what Otto proposes is "if the authentication fails then just > Thead.sleep(1000)" which is a simple business rule mitigating > disctionary attacks using James as an Oracle. > This is exactly what we implemented, with a configurable delay. The current default is 0 delay, to be compatible to the previous behavior.
> > To implement it you do not need any kind of synchronisations. So it is > easy to implement. > > Of course this is not as efficient as (say) fail2ban [1] (tool scrapping > the logs and shadowing ips at the firewall level in case of too many bad > logins...) but of course such a set up would need to be distributed (and > things would start being complicated with some state synchronization eg > through REDIS). Fail2ban stuff is inefficient against a bot farm where > the pool of ips used allows to bypass the checks.... > > [1] https://www.fail2ban.org/wiki/index.php/Main_Page > > My take is that we could implement the easy thing first :-) > Exactly our reasoning. This is not intended as a replacement for more advanced intrusion/abuse detection systems. But anything is better than nothing :-) >>> Check user credentials via WebAdmin (M) >> What is the key difference between webAdmin endpoint and /jmap/session >> endpoint? > > 1. Not every admin deploys JMAP > > 2. Discoverability: given that I'm an admin I am likely familiar with > WebAdmin /users endpoints familly. To think of using JMAP session (basic > auth) to check a password is complex, non straightforward. Smells like a > roundabout way to do things ;-) > We use this WebAdmin endpoint to authenticate users that log in to our Web GUI, so we can re-use the James user database. I believe this might make sense for other deployments too if they do not wish to use LDAP. >> >> Regards, >> Tung, Tran Van >> >> On Tue, Nov 2, 2021 at 11:42 PM Otto, Karsten Andreas >> <karstenandreas.o...@akquinet.de.invalid> wrote: >> >>> Dear James Community, >>> >>> Over the last two years, we at Akquinet have developed an email solution >>> for the medical and healthcare sector. We chose Apache James for this >>> project because it provides >>> - a robust clustering solution out of the box, >>> - a comprehensive WebAdmin REST interface for integration with other >>> product components, >>> - a flexible Mailet architecture easily adapting to our specific >>> requirements, >>> - an open source solution with an active community and commercial >>> support where needed. >>> >>> Our deployment uses the distributed-pop3 app variant, with multiple >>> James server instances running on top of a Cassandra cluster, >>> S3-compatible blob storage and RabbitMQ. The choice of POP3 may seem >>> strange, but our customers typically employ third party systems for >>> semi-automatic mail processing. For this use case, POP3 enables much >>> simpler systems integration than the more complex protocols. >>> >>> Despite Apache James being a very flexible solution, we encountered a >>> few situations during development where we had to change the original >>> codebase in order to meet our requirements. We believe these changes >>> might well be of interest to the James community at large, and in the >>> spirit of open source we would like to share them with you! >>> >>> Over the next few weeks we plan to create Jira tickes and pull requests >>> for the features below. Let us know what you think, and which you would >>> like to see first! >>> >>> (The list includes a complexity estimate in T-Shirt size, where S is >>> just a few / localized changes and L is a lot of code / all over the >>> place.) >>> >>> >>> SECURITY ENHANCEMENTS >>> >>> # TLS authentication via client certificate (M) >>> >>> Add options to network server configurations to set certificate-based >>> authentication mode (none, want, need), and the associated trust store >>> to validate these client certificates. Useful to limit server access to >>> trusted partners/users. >>> >>> # Separate trust store for S3 (M) >>> >>> Extend blob store configuration to specify a trust store, which is used >>> to validate the S3 server certificate. Useful if also using TLS client >>> cert authentication (see above) to keep the security realms separate. >>> >>> # Delay on authentication failure (S) >>> >>> Add an option verifyFailureDelay to usersrepository.xml to delay the >>> response if someone tries to authenticate with a non-existing user or >>> wrong password. Basic protection against people using James as a >>> password oracle for brute-force/dictionary attacks. >>> >>> # Support password salting (M) * >>> >>> Add extra hashingMode choices in usersrepository.xml ("salted", >>> "legacy_salted") to include the user name in the password hash. Basic >>> protection against rainbow table cracking if someone ever manages to >>> steal the password database. >>> >>> # Gradual migration of password hash settings (L) * >>> >>> Add a hashingMode column to the user table, use it together with the >>> algorithm column to verify password hashes. But use the configured >>> algorithm and hashingMode from usersrepository.xml when updating the >>> password. This way, the user database can gradually migrate to a >>> different (hopefully stronger) security setting. Useful to get rid of >>> the legacy hashing mode, and to introduce password salting (see above). >>> >>> *NOTE: Currently only works with Cassandra/Memory, but should be >>> possible for JPA as well if someone more experienced with this server >>> variant would like to tackle it. >>> >>> >>> POP3 ENHANCEMENTS >>> >>> # Fix WebAdmin routes for POP3 (S) - already submitted >>> >>> Include WebAdmin routes and example configuration for managing the >>> DeletedMessagesVault in the distributed-pop3 server variant. >>> >>> # Add Glowroot instrumentation for POP3 (S) >>> >>> Minor refactoring of POP3 command handlers, and matching glowroot >>> configurations. Better diagnostics on what is going on in POP3 handling. >>> >>> # Configure restore location for deleted messages (S) >>> >>> Add an option to specify which mailbox receives any restored messages >>> from the DeletedMessagesVault, e.g. "INBOX" instead of the default >>> "Restored-Messages". Required since POP3 cannot access other mailboxes >>> than INBOX. >>> >>> >>> GENERAL FEATURES >>> >>> # Extra system properties (S) >>> >>> Read a properties file immediately at server startup and set them as >>> system properties. Useful to keep command line clutter down and manageable. >>> >>> # Check user credentials via WebAdmin (M) >>> >>> Provide a WebAdmin route to check a username/password combination. >>> Reports 204 on success and 401 on failure. Useful for integrating James >>> with 3rd party services, e.g. a web admin GUI for users. >>> >>> # Generalized vacation handling, including via WebAdmin (L) >>> >>> Refactor the vacation handling code out of JMAP space and make it a >>> general James feature. Add a WebAdmin route to query and change a user's >>> vacation notice. Useful for integrating James with 3rd party services, >>> e.g. a web admin GUI. >>> >>> >>> Regards, >>> Karsten Otto >>> >>> -- >>> >>> akquinet tech@spree GmbH >>> Bülowstraße 66 • D-10783 Berlin >>> Tel: +49 30 235520-0 >>> Fax: +49 30 217520-12 >>> >>> E-Mail: karsten.o...@akquinet.de >>> Web: www.akquinet.de >>> >>> Geschäftsführung: Martin Weber, Dr. Torsten Fink, Heinz Wilming >>> Amtsgericht Berlin HRB 86780 • USt.-Id. Nr.: DE 225 964 680 >>> >>> >>> >
