Hardening hMailServer - The ongoing saga!

This section contains user-submitted tutorials.
CraigT
New user
New user
Posts: 8
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: Hardening hMailServer - The ongoing saga!

Post by CraigT » 2020-05-02 08:37

SorenR(or other guru) are there any rules around the ODBC driver that has to be installed for either the 64/32-bit driver in Part 3 or doesn't it matter. If everything is 64-bit obviously use the 64-bit driver, but if hMail is 32-bit using 32-bit mysql.dll and MySQL is V8.x(64-bit) should I stick with the 32-bit driver or we don't care.

User avatar
SorenR
Senior user
Senior user
Posts: 4412
Joined: 2006-08-21 15:38
Location: Denmark

Re: Hardening hMailServer - The ongoing saga!

Post by SorenR » 2020-05-02 12:33

CraigT wrote:
2020-05-02 08:37
SorenR(or other guru) are there any rules around the ODBC driver that has to be installed for either the 64/32-bit driver in Part 3 or doesn't it matter. If everything is 64-bit obviously use the 64-bit driver, but if hMail is 32-bit using 32-bit mysql.dll and MySQL is V8.x(64-bit) should I stick with the 32-bit driver or we don't care.
I'm still running 32-bit on my old server but as far as I can read, your driver need to follow your database, however there are other issues with the latest versions of MySQL. Perhaps MariaDB is worth looking into :wink:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2558
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2020-05-03 17:58

SorenR wrote:
2020-05-02 12:33
Perhaps MariaDB is worth looking into :wink:
+1

32bit ODBC required for 32bit hmailserver. Its a pain in the rear to sort out. MariaDB has (I think) only one connector (32/64).

CraigT
New user
New user
Posts: 8
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: Hardening hMailServer - The ongoing saga!

Post by CraigT » 2020-05-04 08:09

Got it. Thanks guys. Waiting on the 64-bit hMailserver for a production server to do the update so everything is 64-bit, but Soren's scripts are too good to pass up, as the server seems to have an attraction to "sheskyhigh" and "blueskyhotel" plus a few others just connecting and dropping out. Plus it will make the log file much shorter. :D

User avatar
RvdH
Senior user
Senior user
Posts: 1327
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2020-05-10 15:38

Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 4412
Joined: 2006-08-21 15:38
Location: Denmark

Re: Hardening hMailServer - The ongoing saga!

Post by SorenR » 2020-05-10 17:33

RvdH wrote:
2020-05-10 15:38
Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
Have you checked how many times IMAP authenticate during a session ?

The idea is to check SMTP traffic only and the IP is registered in OnClientConnect and unregistered in OnAcceptMessage. I have not had one false positive since I introduced it in my script over 1 years ago.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
RvdH
Senior user
Senior user
Posts: 1327
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2020-05-10 17:37

SorenR wrote:
2020-05-10 17:33
RvdH wrote:
2020-05-10 15:38
Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
Have you checked how many times IMAP authenticate during a session ?

The idea is to check SMTP traffic only and the IP is registered in OnClientConnect and unregistered in OnAcceptMessage. I have not had one false positive since I introduced it in my script over 1 years ago.
Quite often, but that check will take maybe 000.1 second, especially when it doesn't exist....but you also could specify ports or just ignore the suggestion
I know i will utilize it ;)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

udgesbou
New user
New user
Posts: 3
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-05 19:40

Heyho,
i'm running a hMailServer on a Window-Server and i want to use this scripts:

#2 How to only allow client access from specific GEO locations. --> viewtopic.php?p=209543#p209543

#3 How to stop the annoying half-connections from BOT's and misconfigured spammers. --> viewtopic.php?p=209545#p209545

I found the "Scripts"-Button in "Advanced"-Settings, but i'm new in hMailServer and i don't know how to implement the scripts to my Server :(
I hope you can help me or show me a tutorial for that.

Thanks in advance.

Greetings
Colin

User avatar
mattg
Moderator
Moderator
Posts: 21319
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Hardening hMailServer - The ongoing saga!

Post by mattg » 2021-04-06 01:31

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

udgesbou
New user
New user
Posts: 3
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-06 21:11

Thanks for your reply!

So if i want to implement this Script "#2 How to only allow client access from specific GEO locations." my "EventHandlers.vbs" should look like this?

Code: Select all

Option Explicit

'******************************************************************************************************************************
'********** Settings                                                                                                 **********
'******************************************************************************************************************************

'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************


Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
 '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("|dk|gl|fo|", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         Exit Sub
      End If
   End If
End Sub

'   Sub OnSMTPData(oClient, oMessage)
'   End Sub

'   Sub OnAcceptMessage(oClient, oMessage)
'   End Sub

'   Sub OnDeliveryStart(oMessage)
'   End Sub

'   Sub OnDeliverMessage(oMessage)
'   End Sub

'   Sub OnBackupFailed(sReason)
'   End Sub

'   Sub OnBackupCompleted()
'   End Sub

'   Sub OnError(iSeverity, iCode, sSource, sDescription)
'   End Sub

'   Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'   End Sub

'   Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'   End Sub
Which data must i enter here?

Code: Select all

Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"
And where can i get the "codes" for germany, so that i can only connect from german country / ip?


Thanks in advance! :)


Greetings

User avatar
mattg
Moderator
Moderator
Posts: 21319
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Hardening hMailServer - The ongoing saga!

Post by mattg » 2021-04-07 00:33

udgesbou wrote:
2021-04-06 21:11
Which data must i enter here?

Code: Select all

Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"
The admin user MUST be = 'Administrator"
The PASSWORD is your hMailserver admin GUI password


udgesbou wrote:
2021-04-06 21:11
And where can i get the "codes" for germany, so that i can only connect from german country / ip?
Germany is 127.0.1.20
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

udgesbou
New user
New user
Posts: 3
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-07 13:23

mattg wrote:
2021-04-07 00:33
udgesbou wrote:
2021-04-06 21:11
And where can i get the "codes" for germany, so that i can only connect from german country / ip?
Germany is 127.0.1.20
Okay, and where do I have to put that into the script? :(

Greetings

User avatar
RvdH
Senior user
Senior user
Posts: 1327
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2021-04-07 15:32

udgesbou wrote:
2021-04-07 13:23
Okay, and where do I have to put that into the script? :(

Greetings
Maybe simply look at the examples given/quoted?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply