Limit Authentication to IP Whitelist?

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
xpda
Normal user
Normal user
Posts: 33
Joined: 2013-03-28 22:08

Limit Authentication to IP Whitelist?

Post by xpda » 2017-11-09 17:25

I would like to write a script (or use one, if it's already available) to limit authentication to an IP whitelist. Is there an event for user authentication where I can check the IP address?

The problem is, botnets will sometimes end up with a valid account and password, login from various unknown IPs, and send spam. This is easily fixed by changing the password and cleaning the user machine, but it would be easier to prevent it altogether. The legitimate users login from only a few IP address ranges, which could easily be placed in a whitelist and checked for authentication. "Roaming" users can be limited to web mail.

User avatar
mattg
Moderator
Moderator
Posts: 20460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Limit Authentication to IP Whitelist?

Post by mattg » 2017-11-09 23:37

Isn't that what IP ranges are for??

Also, disable AUTH on port 25, most bots use port 25

Add this to the bottom of your hmailserver.ini, and get all of your known clients to submit new mail via port 587 (or whatever custom port you like)

Code: Select all

[settings]

DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.
There is nothing like a good password policy

In answer to your question though
xpda wrote:Is there an event for user authentication where I can check the IP address?
I use OnClientConnect, and use oClient.port to reject international connections other then to port 25 (I'm in Australia, international is pretty definitive here)
I use OnAcceptMessage to reject mail under many conditions, including more than XX messages in 24 hours...Messages can still be rejected at this stage. After this, they can only be deleted.

You could check oClient.address from OnClient Connect, and match that against a database or flat file of allowed addresses, or even against a list of known IP ranges from hMailserver.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

xpda
Normal user
Normal user
Posts: 33
Joined: 2013-03-28 22:08

Re: Limit Authentication to IP Whitelist?

Post by xpda » 2017-11-10 00:05

Thanks, but I would like to limit only authentications, not incoming mail. The problem is, some phishing sites get usernames and passwords from the clients, then send email from seemingly random IPs on a botnet. I can already limit using IP range and total number emails sent, but it would be nice to prevent these bots (and everybody) from authenticating their login from non-approved IP addresses. Of course, this would not apply to web mail.

User avatar
mattg
Moderator
Moderator
Posts: 20460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Limit Authentication to IP Whitelist?

Post by mattg » 2017-11-10 02:06

xpda wrote:Thanks, but I would like to limit only authentications, not incoming mail.
That's what I do with OnClientConnect...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

xpda
Normal user
Normal user
Posts: 33
Joined: 2013-03-28 22:08

Re: Limit Authentication to IP Whitelist?

Post by xpda » 2017-11-10 03:44

I'll check that out -- thank you for the help!

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: Limit Authentication to IP Whitelist?

Post by estradis » 2017-11-29 15:36

Maybe you can use your own DNS/BL eighter. For example reply 127.0.0.1 for internal networks and 127.0.0.6 for botnets. Then you define the results in Settings>Antispam>DNS blacklists and eh voilà your goal is achived. They will never reach to OnSMTPData when thrown out by DNS/BL. But to be honest, we never tried it on authenticated connections as it wasn't necessary yet.

Anyways we have very good experience using our own DNS/BL zone learned by delivery results from over one year. I can strongly recommend it.

User avatar
mattg
Moderator
Moderator
Posts: 20460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Limit Authentication to IP Whitelist?

Post by mattg » 2017-11-29 23:26

Can you please give more details about how you created your own DNS BL

(FWIW, I get 100 attempts per week to auth via ports 110, 143, 587, 993 and 995 from overseas that I reject using the Nerds.dk country list, I don't allow AUTH on port 25. This process doesn't impact on normal mail sent via port 25)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: Limit Authentication to IP Whitelist?

Post by estradis » 2017-11-30 12:23

mattg wrote:Can you please give more details about how you created your own DNS BL
For identifying and categorizing we use public DNS/BL (like spamhaus.org, etc.) as well as the results from spamassassin tests. To reduce the traffic and query time, we feed our own locally installed dns server with our own results in OnAcceptMessage. Once categorized it will be tested by hms between OnClientConnect and OnSMTPData using the "Antispam">"DNS Blacklists" configuration. If a positive match occours, the connection will be closed then by hms.

We currently use following categories:
127.0.0.1: Whitelisted, currently 4
127.0.0.2: Blacklisted, currently 466
127.0.0.4: Dynamic IP, currently 30143
127.0.0.5: Test, currently 1
127.0.0.6: Spamsource, currently 8101
127.0.0.14: False-Positive (Dyn. IP), currently 1
127.0.0.16: False-Positive (Spamsource), currently 18

If a connection has to be dumped, it will get a score of +1000.
If a connection is whitelisted, it will get a score of -100.

We feed our DNS by script using the command

Code: Select all

dnscmd \\localhost /RecordAdd <our.own.zone> <client.ip.addr.ess> A <result.ip.addr.ess>
We do not feed the associating TXT record as the standalone A record is working well in hms.
mattg wrote:(FWIW, I get 100 attempts per week to auth via ports 110, 143, 587, 993 and 995 from overseas that I reject using the Nerds.dk country list, I don't allow AUTH on port 25. This process doesn't impact on normal mail sent via port 25)
As the events will be called independent from smtp port, it should be working with all of them, but I have no idea what happens with IMAP connections. (POP connections are forbidden by front firewall and should never appear from external.)

As a workaround you might use OnClientConnect and query DNS/BL with a short timeout using command

Code: Select all

nslookup -recurse -timeout=1 <client.ip.addr.ess>.<our.own.zone> localhost
EDIT:
Just to be clear:
- The client ip address will be stored and queried in reverse notation
- The banned ip addresses will not be feeded to dns server as they are handled by hms in "IP Ranges" (acually levelled at 883)

User avatar
mattg
Moderator
Moderator
Posts: 20460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Limit Authentication to IP Whitelist?

Post by mattg » 2017-12-01 01:30

Thanks for the post back
estradis wrote:As the events will be called independent from smtp port, it should be working with all of them
On my system it does work for all connections.

I segregate by oClient.port in my scripts
estradis wrote: EDIT:
Just to be clear:
- The banned ip addresses will not be feeded to dns server as they are handled by hms in "IP Ranges" (acually levelled at 883)
What does this bit in brackets mean?

I use banned IP ranges too, and create bans directly from my scripts, as if they were Autobans generated by hMailserver. I ban lots of things including high spam scores, and overseas AUTH connections.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 154
Joined: 2014-09-09 10:47

Re: Limit Authentication to IP Whitelist?

Post by estradis » 2017-12-01 12:59

My apologies!

I've forgotten to mention that the dns zone for reputation is configured as a wildcard zone and will respond to all "unknown" queries with 0.0.0.0 for performance reasons (Always return a result, never run into timeouts!)

This was the initial configuration of the zone file before the server started to learn:

Code: Select all

;
;  Database file <our.own.zone>.dns for <our.own.zone> zone.
;      Zone version:  1
;

@                       IN  SOA localhost. hostmaster. (
                        	1; serial number
                        	15           ; refresh
                        	10           ; retry
                        	604800       ; expire
                        	10         ) ; default TTL

;
;  Zone NS records
;

@                       NS	localhost.
localhost.              A	127.0.0.1
localhost.              AAAA	::1

;
;  Zone records
;

;
; Result, if no record is stored
;
@                       A	0.0.0.0
*                       CNAME	<our.own.zone>.
*.*                     CNAME	<our.own.zone>.
*.*.*.*                 CNAME	<our.own.zone>.

;
; Whitelist internal network
;
10                      A	127.0.0.1
*.10                    CNAME	10.<our.own.zone>.
*.*.10                  CNAME	10.<our.own.zone>.
*.*.*.10                CNAME	10.<our.own.zone>.

;
; New records will be added here
;

Post Reply