Search found 23 matches

by ldsandon
2020-12-30 17:34
Forum: General discussions
Topic: problem with ssl
Replies: 32
Views: 1857

Re: problem with ssl

What about my server? When does it communicate with other servers with encrypted text? Most servers will start an encrypted session as long as STARTTLS is returned at the EHLO, but it's up to the sending server. Now you can request explicitly an encrypted session using MTA-STS (MTA Strict Transport...
by ldsandon
2020-01-26 00:36
Forum: General discussions
Topic: Problem with italian PEC
Replies: 6
Views: 3393

Re: Problem with italian PEC

How did you configured your server to send a "PEC" email? AFAIK PEC is based on specific mail servers managed by providers which are specifically authorized by the government to offer the service, and must abide to specific rules to ensure the email "certification" and "non-repudiation". You have to...
by ldsandon
2018-09-16 18:10
Forum: General discussions
Topic: No entry in SMTP log for failure when mail sent to non existent domain
Replies: 2
Views: 1117

Re: No entry in SMTP log for failure when mail sent to non existent domain

Maybe, it's just less friendly for automatic parsing, as it uses more descriptive text than error codes.

I saw anyway an error is returned also in the awstats log, which is easier to parse.

BTW, the SMTP server could return a 512 error code in such situation, instead of a generic 550.
by ldsandon
2018-09-15 18:09
Forum: General discussions
Topic: No entry in SMTP log for failure when mail sent to non existent domain
Replies: 2
Views: 1117

No entry in SMTP log for failure when mail sent to non existent domain

A user of mine complained he never received an answer for a mail sent. When I inspected the log, I found she sent it to the wrong, non existent domain. She said she didn't see any mail reporting the error, and I couldn't find anything in the SMTP log about the final failure (I have 9 retries set) an...
by ldsandon
2014-07-08 20:04
Forum: Scripting
Topic: Drop connection if HELO/EHLO matches given data
Replies: 10
Views: 5590

Re: Drop connection if HELO/EHLO matches given data

If I could control what's in front of the mail server I would already have at least pfSense and Snort active - I'm pretty skilled in IT security. But my server runs on a rented server (a VMWare VM...) in a remote datacenter (which ensures me 24x7 availability). I should rent another one and put that...
by ldsandon
2014-07-07 20:55
Forum: Scripting
Topic: Drop connection if HELO/EHLO matches given data
Replies: 10
Views: 5590

Re: Drop connection if HELO/EHLO matches given data

I wish I could block some kind of brute force attacks - unluckily IP based checks are useless because some of those attacks use botnets or something alike and can use different IP distributed across several countries. My server communicate with many countries as well, thereby a GeoIP policy would no...
by ldsandon
2014-07-05 22:19
Forum: Scripting
Topic: Drop connection if HELO/EHLO matches given data
Replies: 10
Views: 5590

Re: Drop connection if HELO/EHLO matches given data

> The oCleint.HELO is not populated until you get to the on SMTPData / onAcceptMeesage Sub in eventhandlers.vbs That means the connection already got past authentication - if it is a brute force attack it means the password was guessed. I already lowered the number of authentication attempts and inc...
by ldsandon
2014-07-04 20:23
Forum: Scripting
Topic: Drop connection if HELO/EHLO matches given data
Replies: 10
Views: 5590

Drop connection if HELO/EHLO matches given data

Is it possible to drop a connection if a pattern in the HELO/EHLO command matches? I see brute force attacks from different IPs, but they all use the same EHLO message. I would like to drop them even before they could attempt an AUTH LOGIN command. I didn't find in scripts something alike a "SMTP se...
by ldsandon
2012-02-01 23:47
Forum: Development & alpha discussions
Topic: New address for SVN
Replies: 32
Views: 26073

Re: New address for SVN

For example say a new line was added to some C++ file, and that is all that was changed. In SVN, it will download the whole file, in GIT it will just download a patch for that one line. It's funny how the DVCS crowd believes they invented the wheel. Even the old CVS is able to send only changes to ...
by ldsandon
2011-06-27 12:33
Forum: Feature requests
Topic: Push to iPhone
Replies: 23
Views: 17700

Re: Push to iPhone

AFAIK POP3 has not "push" features, it's probably just polling. AFAIK Apple iPhone standard mail client does not support IMAP IDLE (but I can be wrong), while ActiveSync and MobileMe use different protocols.
by ldsandon
2011-04-27 00:05
Forum: General discussions
Topic: Suported authentication mechanisms?
Replies: 32
Views: 11536

Re: Suported authentication mechanisms?

dzekas wrote:Today's networks are switched. If person can use packet sniffer in switched network, they already control router or network switch.
Or they just use old, well known techniques like ARP poisoning. Without any need to control the switch. There are a host of ready-to-use tools to get network data.
by ldsandon
2011-04-26 12:22
Forum: General discussions
Topic: Suported authentication mechanisms?
Replies: 32
Views: 11536

Re: Suported authentication mechanisms?

MSDN is not a standard library. It is vendor supplied documentation. NTLM is a Microsoft standard (as Active Directory, for the matter). That's the official NTLM documentation, and MSDN Open Specifications is authoritative about published Microsoft standards. Maybe I am wrong, but ntlm uses DES or ...
by ldsandon
2011-04-25 14:55
Forum: General discussions
Topic: Suported authentication mechanisms?
Replies: 32
Views: 11536

Re: Suported authentication mechanisms?

ntlm - do you know standard which defines it? http://msdn.microsoft.com/en-us/library/cc236621(PROT.10).aspx encrypted password - I suspect that this is for digest-md5 or cram-md5. It is safer than plain text in communications, but it is highly unsafe on server side. Passwords are stored in plain t...
by ldsandon
2011-04-18 00:07
Forum: General discussions
Topic: Is hMailServer SURBL safe to use with dbl.spamhaus.org?
Replies: 17
Views: 6077

Is hMailServer SURBL safe to use with dbl.spamhaus.org?

Spamhaus DBL usage rules ask to query only domain names, and not IPs. Sending an URL containing an IP (say http://192.168.1.1) will return always a reject code, without any test, leading to possible false positive. Is the SURBL implementation of hMailServer "safe" to use with the DBL? Or will it sen...
by ldsandon
2010-10-07 00:20
Forum: Feature requests
Topic: Encrypted Email Data
Replies: 11
Views: 9348

Re: Encrypted Email Data

Encrypting mail on disk may be useful - for example on hosted services where maybe a disk is changed, not wiped and with all your data still there... there are some techniques to protect the master key, the most secure one is requiring it while booting the server, but this way the server can't reboo...
by ldsandon
2010-10-07 00:07
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 132956

Re: ssl/tls and starttls

Yes, almost any security is useless because you can devise an attack against it. The problem is how easy is to perform that attack. STARTTLS is surely not the best protection method, but it is far better than sending mail (and passwords) in cleartext - although you can't rely only on it if you need ...
by ldsandon
2009-05-29 21:37
Forum: Feature requests
Topic: Autoban enhancement to mitigate DoS of users behind NAT
Replies: 14
Views: 7643

Re: Autoban enhancement to mitigate DoS of users behind NAT

Hmm, tiny link? The color used does not make it immediately visible - probably it's just my poor old view. Anyway, what is your most closer competitor, Mercury/32, although no longer completely free (now only for non commercial use) - has a comprehensive online help and manual. Anyway, I do not wan...
by ldsandon
2009-05-29 21:30
Forum: Feature requests
Topic: Autoban enhancement to mitigate DoS of users behind NAT
Replies: 14
Views: 7643

Re: Autoban enhancement to mitigate DoS of users behind NAT

If your webmail is being brute forced then you should take steps to protect it at the server. It is not hMails responsibility to protect it. Captcha is a good example of protecting a webmail login page. Are you going to ask your user to type a captcha every time they log on? You really have strange...
by ldsandon
2009-05-29 11:00
Forum: Feature requests
Topic: Autoban enhancement to mitigate DoS of users behind NAT
Replies: 14
Views: 7643

Re: Autoban enhancement to mitigate DoS of users behind NAT

Ok from these two posts alone I can tell you have not even slightly bothered to read the documents. Wrong. I pressed help, there are only four lines of explanation. Now I see the tiny link to the "user guide" has more informations - I wonder why they aren't in the AutoBan page. I apologize for bein...
by ldsandon
2009-05-28 23:35
Forum: Feature requests
Topic: Autoban enhancement to mitigate DoS of users behind NAT
Replies: 14
Views: 7643

Re: Autoban enhancement to mitigate DoS of users behind NAT

It would also be nice a list of current bans with the ability to reset the selected one without being forced to wait the expiry time.

Also what would happen if a webmail front end is used and a user is banned? The whole web server is banned, actually becoming a DoS attack?
by ldsandon
2007-01-09 23:52
Forum: Scripting
Topic: COM API: getting and setting the "raw" message?
Replies: 0
Views: 1603

COM API: getting and setting the "raw" message?

I am trying to write a COM automation object to check messages with SpamAssasin (it would work something alike SpamC). How could I get or set the "raw" message (aka RFC 2822 format) from the message parameter? It looks like it holds an already parsed message, if Filename the only way to get the whol...
by ldsandon
2006-04-03 11:41
Forum: General discussions
Topic: SSL Pop3
Replies: 11
Views: 12870

The problem I have is that I don't know where I can enter those commands in. Should I use the command prompt in Windows XP? I don't think it would work...? Yes, you have to do it at the command prompt. Why shouldn't it work? Most programs ported from *nix system require to use a command line interf...
by ldsandon
2006-04-03 11:36
Forum: Archived feature requests
Topic: SSL server support
Replies: 55
Views: 50733

I hope hMailServer will implement SSL and TLS soon *inside* the server itself. stunnel works but it is a sort of "workaround", one needs to install and keep updated another two applications (stunnel and OpenSSL) and configure them, they are not "native" Windows application and maybe difficult to set...