Hardening hMailServer - The ongoing saga!

This section contains user-submitted tutorials.
CraigT
New user
New user
Posts: 16
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: Hardening hMailServer - The ongoing saga!

Post by CraigT » 2020-05-02 08:37

SorenR(or other guru) are there any rules around the ODBC driver that has to be installed for either the 64/32-bit driver in Part 3 or doesn't it matter. If everything is 64-bit obviously use the 64-bit driver, but if hMail is 32-bit using 32-bit mysql.dll and MySQL is V8.x(64-bit) should I stick with the 32-bit driver or we don't care.

User avatar
SorenR
Senior user
Senior user
Posts: 5101
Joined: 2006-08-21 15:38
Location: Denmark

Re: Hardening hMailServer - The ongoing saga!

Post by SorenR » 2020-05-02 12:33

CraigT wrote:
2020-05-02 08:37
SorenR(or other guru) are there any rules around the ODBC driver that has to be installed for either the 64/32-bit driver in Part 3 or doesn't it matter. If everything is 64-bit obviously use the 64-bit driver, but if hMail is 32-bit using 32-bit mysql.dll and MySQL is V8.x(64-bit) should I stick with the 32-bit driver or we don't care.
I'm still running 32-bit on my old server but as far as I can read, your driver need to follow your database, however there are other issues with the latest versions of MySQL. Perhaps MariaDB is worth looking into :wink:
SørenR.

There are only two difficult problems in computer science: naming things, cache invalidation and off-by-one errors.

palinka
Senior user
Senior user
Posts: 3212
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2020-05-03 17:58

SorenR wrote:
2020-05-02 12:33
Perhaps MariaDB is worth looking into :wink:
+1

32bit ODBC required for 32bit hmailserver. Its a pain in the rear to sort out. MariaDB has (I think) only one connector (32/64).

CraigT
New user
New user
Posts: 16
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: Hardening hMailServer - The ongoing saga!

Post by CraigT » 2020-05-04 08:09

Got it. Thanks guys. Waiting on the 64-bit hMailserver for a production server to do the update so everything is 64-bit, but Soren's scripts are too good to pass up, as the server seems to have an attraction to "sheskyhigh" and "blueskyhotel" plus a few others just connecting and dropping out. Plus it will make the log file much shorter. :D

User avatar
RvdH
Senior user
Senior user
Posts: 1785
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2020-05-10 15:38

Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 5101
Joined: 2006-08-21 15:38
Location: Denmark

Re: Hardening hMailServer - The ongoing saga!

Post by SorenR » 2020-05-10 17:33

RvdH wrote:
2020-05-10 15:38
Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
Have you checked how many times IMAP authenticate during a session ?

The idea is to check SMTP traffic only and the IP is registered in OnClientConnect and unregistered in OnAcceptMessage. I have not had one false positive since I introduced it in my script over 1 years ago.
SørenR.

There are only two difficult problems in computer science: naming things, cache invalidation and off-by-one errors.

User avatar
RvdH
Senior user
Senior user
Posts: 1785
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2020-05-10 17:37

SorenR wrote:
2020-05-10 17:33
RvdH wrote:
2020-05-10 15:38
Just an idea, might prevent genuine user to be listed in IDS which experience unexpected timeouts or the alike

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		REM Unregister IP address from IDS registry
		Call idsDelIP(oClient.IPAddress)
	End if
End Sub
Have you checked how many times IMAP authenticate during a session ?

The idea is to check SMTP traffic only and the IP is registered in OnClientConnect and unregistered in OnAcceptMessage. I have not had one false positive since I introduced it in my script over 1 years ago.
Quite often, but that check will take maybe 000.1 second, especially when it doesn't exist....but you also could specify ports or just ignore the suggestion
I know i will utilize it ;)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
New user
New user
Posts: 5
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-05 19:40

Heyho,
i'm running a hMailServer on a Window-Server and i want to use this scripts:

#2 How to only allow client access from specific GEO locations. --> viewtopic.php?p=209543#p209543

#3 How to stop the annoying half-connections from BOT's and misconfigured spammers. --> viewtopic.php?p=209545#p209545

I found the "Scripts"-Button in "Advanced"-Settings, but i'm new in hMailServer and i don't know how to implement the scripts to my Server :(
I hope you can help me or show me a tutorial for that.

Thanks in advance.

Greetings
Colin

User avatar
mattg
Moderator
Moderator
Posts: 21742
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Hardening hMailServer - The ongoing saga!

Post by mattg » 2021-04-06 01:31

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

udgesbou
New user
New user
Posts: 5
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-06 21:11

Thanks for your reply!

So if i want to implement this Script "#2 How to only allow client access from specific GEO locations." my "EventHandlers.vbs" should look like this?

Code: Select all

Option Explicit

'******************************************************************************************************************************
'********** Settings                                                                                                 **********
'******************************************************************************************************************************

'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************


Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
 '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("|dk|gl|fo|", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         Exit Sub
      End If
   End If
End Sub

'   Sub OnSMTPData(oClient, oMessage)
'   End Sub

'   Sub OnAcceptMessage(oClient, oMessage)
'   End Sub

'   Sub OnDeliveryStart(oMessage)
'   End Sub

'   Sub OnDeliverMessage(oMessage)
'   End Sub

'   Sub OnBackupFailed(sReason)
'   End Sub

'   Sub OnBackupCompleted()
'   End Sub

'   Sub OnError(iSeverity, iCode, sSource, sDescription)
'   End Sub

'   Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'   End Sub

'   Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'   End Sub
Which data must i enter here?

Code: Select all

Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"
And where can i get the "codes" for germany, so that i can only connect from german country / ip?


Thanks in advance! :)


Greetings

User avatar
mattg
Moderator
Moderator
Posts: 21742
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Hardening hMailServer - The ongoing saga!

Post by mattg » 2021-04-07 00:33

udgesbou wrote:
2021-04-06 21:11
Which data must i enter here?

Code: Select all

Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"
The admin user MUST be = 'Administrator"
The PASSWORD is your hMailserver admin GUI password


udgesbou wrote:
2021-04-06 21:11
And where can i get the "codes" for germany, so that i can only connect from german country / ip?
Germany is 127.0.1.20
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

udgesbou
New user
New user
Posts: 5
Joined: 2021-04-05 19:33

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2021-04-07 13:23

mattg wrote:
2021-04-07 00:33
udgesbou wrote:
2021-04-06 21:11
And where can i get the "codes" for germany, so that i can only connect from german country / ip?
Germany is 127.0.1.20
Okay, and where do I have to put that into the script? :(

Greetings

User avatar
RvdH
Senior user
Senior user
Posts: 1785
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2021-04-07 15:32

udgesbou wrote:
2021-04-07 13:23
Okay, and where do I have to put that into the script? :(

Greetings
Maybe simply look at the examples given/quoted?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

ashtec014
Normal user
Normal user
Posts: 208
Joined: 2019-09-05 11:56

Re: Hardening hMailServer - The ongoing saga!

Post by ashtec014 » 2021-06-06 09:32

palinka wrote:
2019-10-31 10:58
nitro wrote:
2019-10-31 10:28
You have to be careful with the lords of Microsoft.
It can be a false positive in, FQDN as HELO.

Code: Select all

AM5EUR02FT035.mail.protection.outlook.com
EUR04-DB3-obe.outbound.protection.outlook.com
EUR03-VE1-obe.outbound.protection.outlook.com
I discovered that yesterday too. I added outbound.protection.outlook.com$ to the list of "known false positives" so they skip the test.
Hello,

I've notice that emails from "protection.outlook.com" mark as spam or "known false positives" though it isn't, which list do I add these so it could skip the test?

palinka
Senior user
Senior user
Posts: 3212
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2021-06-06 16:23

ashtec014 wrote:
2021-06-06 09:32
palinka wrote:
2019-10-31 10:58
nitro wrote:
2019-10-31 10:28
You have to be careful with the lords of Microsoft.
It can be a false positive in, FQDN as HELO.

Code: Select all

AM5EUR02FT035.mail.protection.outlook.com
EUR04-DB3-obe.outbound.protection.outlook.com
EUR03-VE1-obe.outbound.protection.outlook.com
I discovered that yesterday too. I added outbound.protection.outlook.com$ to the list of "known false positives" so they skip the test.
Hello,

I've notice that emails from "protection.outlook.com" mark as spam or "known false positives" though it isn't, which list do I add these so it could skip the test?
viewtopic.php?f=20&t=33602

Have a look at this thread.

gotspatel
Normal user
Normal user
Posts: 148
Joined: 2013-10-08 05:42
Location: INDIA

Re: Hardening hMailServer - The ongoing saga!

Post by gotspatel » 2021-11-27 06:25

Hello All, Hope everyone fine.

I am trying to extend the functionality of IDS to make a threatfeed (text file) for my Hardware firewall to block the IP from Firewall itself.

- take the IP which the IDS is blocking
- Check if threatfeed text file exists if not create it
- check if IP is already listed in file and if not write it to new line in the test file.

IS the below code perfect? as I am not able to get IP's blocked by IDS in the file.


the FULL IDSADDIP Function

Code: Select all

Function idsAddIP(sIPAddress, iPort)
	Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    Include(oApp.Settings.Directories.EventDirectory & "\VbsJson.vbs") '<---- It Points to Event Directory   
	Dim ReturnCode, Json, oGeoip, oXML
	Set Json = New VbsJson
	
	'new GEOIPLOOKUP
    Dim m_CountryCode, m_CountryName
    Call GeoIPLookup(sIPAddress, m_CountryCode, m_CountryName)
	On Error Resume Next

	Dim idsTable
	idsTable = DBIDSTBL
	Dim strSQL, oDB : Set oDB = GetDatabaseObject
	If IsMySQL Then
		strSQL = "INSERT INTO hm_ids (timestamp,ipaddress,port,hits,country) VALUES (" & DBGetCurrentDateTime() & ",'" & sIPAddress & "','" & iPort & "',1,'" & m_CountryName & "') ON DUPLICATE KEY UPDATE hits=(hits+1),TIMESTAMP=" & DBGetCurrentDateTime() & ";"	
	ElseIf IsMSSQL Then
		strSQL = "IF NOT EXISTS (SELECT 1 FROM " & idsTable & " WHERE ipaddress = '" & sIPAddress & "') INSERT INTO " & idsTable & " (timestamp,ipaddress,port,hits,country) VALUES (" & DBGetCurrentDateTime() & ",'" & sIPAddress & "'," & iPort &",'1','" & m_CountryName & "') ELSE UPDATE " & idsTable & " SET hits=(hits+1), timestamp=" & DBGetCurrentDateTime() & " WHERE ipaddress= '" & sIPAddress & "';"
	End If
	
		Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
		Set objShell = Wscript.CreateObject("Wscript.Shell")
		Const FORREADING = 1
		Const FORWRITING = 2
		Const FORAPPENDING = 8
		Dim sToSearch: sToSearch = "sIPAddress"
		Dim sFileName: sFileName = "C:\inetpub\wwwroot\Threatfeed\ids_iplist.txt"
		Dim sContent, Found
		If Not objFSO.FileExists(sFileName) Then
			EventLog.Write( "Function IDSADDIP - ERROR: ids_iplist.txt doesnot exist" )
			Set TxtFile = objFSO.OpenTextFile(sFileName, ForWriting, True)
			TxtFile.WriteLine sToSearch
			WScript.Quit 0
		End If
		Set TxtFile = objFSO.OpenTextFile(sFileName,FORREADING)
		sContent = TxtFile.ReadAll
		If InStr(sContent,sToSearch) Then Found = True End If
		Set TxtFile = Nothing
		If Not Found Then
			Set TxtFile = objFSO.OpenTextFile(sFileName,FORAPPENDING)
			TxtFile.WriteLine sToSearch
		End If
	Set sFileName = Nothing
	Call oDB.ExecuteSQL(strSQL)
	Set oDB = Nothing
End Function


palinka
Senior user
Senior user
Posts: 3212
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2021-11-27 15:22

First, are you using MySQL or MSSQL? You don't need both.

Secondly, you're probably better off running a handler script that adds ips from the database to the text file. In that case, you may want to add a new column that let's you know if the ip has been picked up by the handler script already, so you don't have any duplication. Then nothing would change from the original script in your eventhandlers.vbs and you would run the handler from task scheduler every hour or whatever.

gotspatel
Normal user
Normal user
Posts: 148
Joined: 2013-10-08 05:42
Location: INDIA

Re: Hardening hMailServer - The ongoing saga!

Post by gotspatel » 2021-11-28 06:46

Hi,

I am using MYSQL (MSSQL I just kept don't know why?) :D

2nd, I want to use the code to write/delete the ip for both function IDSAPPIP and IDSDELIP in eventhandlers so as if the ip is removed by IDS then it is also removed from the text file.
very bad at coding just use the snippets from the internet and transform them to my use.

palinka
Senior user
Senior user
Posts: 3212
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2021-11-28 14:20

There's a flaw in your logic / sequence of events. There's a reason there is a 3 strike rule. Some connections that get added to ids are false positives caused by network errors and such. You don't want to firewall ban those IPs until you're sure that they're actually malicious. Therefore, you don't want to add them to the text file every time IDSADD is called. You will only want to add them when they reach the strike limit, at which point you're more sure that the IP is malicious and not the result of a temporary error.

Try this. Revert the code back to the original. Then run this powershell from task scheduler every 5 minutes. I pulled this out of my firewall ban code. Its not tested!

Code: Select all

###   MYSQL VARIABLES   ###
$DatabaseType     = 'MYSQL'
$SQLAdminUserName = 'hmailserver'
$SQLAdminPassword = 'supersecretpassword'
$SQLDatabase      = 'hmailserver'
$SQLHost          = '127.0.0.1'
$SQLPort          = 3306
$SQLSSL           = 'none'

###   SQL SSL OPTIONS   ###

#   Set to 'none' if Powershell and MySQL on same machine
#
#	None       - Do not use SSL.
#	Preferred  - Use SSL if the server supports it, but allow connection in all cases.
#	Required   - Always use SSL. Deny connection if server does not support SSL.
#	VerifyCA   - Always use SSL. Validate the CA but tolerate name mismatch.
#	VerifyFull - Always use SSL. Fail if the host name is not correct.

###   IDS OPTIONS   ###
$IDSIPList       = 'C:\inetpub\wwwroot\Threatfeed\IDSIPList.txt'
$IDSNew          = 5 # New Entries interval in minutes
$IDSExpire       = 3 # Interval in days


Function MySQLQuery($Query) {
	$Today = (Get-Date).ToString("yyyyMMdd")
	$DBErrorLog = "$PSScriptRoot\$Today-DBError.log"
	$ConnectionString = "server=" + $SQLHost + ";port=" + $SQLPort + ";uid=" + $SQLAdminUserName + ";pwd=" + $SQLAdminPassword + ";database=" + $SQLDatabase + ";SslMode=" + $SQLSSL + ";"
	Try {
		[void][System.Reflection.Assembly]::LoadWithPartialName("MySql.Data")
		$Connection = New-Object MySql.Data.MySqlClient.MySqlConnection
		$Connection.ConnectionString = $ConnectionString
		$Connection.Open()
		$Command = New-Object MySql.Data.MySqlClient.MySqlCommand($Query, $Connection)
		$DataAdapter = New-Object MySql.Data.MySqlClient.MySqlDataAdapter($Command)
		$DataSet = New-Object System.Data.DataSet
		$RecordCount = $dataAdapter.Fill($dataSet, "data")
		$DataSet.Tables[0]
	}
	Catch {
		Write-Output "$(Get-Date -f G) : ERROR : Unable to run query : $query `n$($Error[0])" | Out-File $DBErrorLog -Append -Encoding ASCII
	}
	Finally {
		$Connection.Close()
	}
}


<#######################################>
<#                                     #>
<#                IDS                  #>
<#    (Intrusion Detection System)     #>
<#                                     #>
<#######################################>

<#	Pickup entries from IDS  #>
$Query = "SELECT ipaddress FROM hm_ids WHERE hits > 2 AND timestamp > (NOW() - INTERVAL $IDSNew MINUTE);"
MySQLQuery $Query | foreach {

	<#  Add to IDSIPList  #>
	$_ | Out-File $IDSIPList -Append -Encoding ASCII

}

<#	Expire old IDS entries  #>
$Query = "SELECT ipaddress FROM hm_ids WHERE timestamp < (NOW() - INTERVAL $IDSExpire DAY);"
MySQLQuery $Query | ForEach {
	Set-Content -Path $IDSIPList -Value (Get-Content -Path $IDSIPList | Select-String -Pattern '$($_)' -NotMatch)
}

$Query = "DELETE FROM hm_ids WHERE timestamp < (NOW() - INTERVAL $IDSExpire DAY);"
MySQLQuery $Query

gotspatel
Normal user
Normal user
Posts: 148
Joined: 2013-10-08 05:42
Location: INDIA

Re: Hardening hMailServer - The ongoing saga!

Post by gotspatel » 2021-12-10 14:47

Atlast Got some hits :D

Any help how to remove the column headers

OUTPUT OF "IDSIPList.txt"

Code: Select all


ipaddress   <<<< REMOVE THIS
---------   <<<< AND THIS
51.81.155.71



ipaddress    
---------    
103.150.8.116



ipaddress    
---------    
185.167.97.31



ipaddress     
---------     
185.180.143.77



ipaddress      
---------      
112.132.123.233


palinka
Senior user
Senior user
Posts: 3212
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2021-12-10 16:17

gotspatel wrote:
2021-12-10 14:47
Atlast Got some hits :D

Any help how to remove the column headers

OUTPUT OF "IDSIPList.txt"

Code: Select all


ipaddress   <<<< REMOVE THIS
---------   <<<< AND THIS
51.81.155.71



ipaddress    
---------    
103.150.8.116



ipaddress    
---------    
185.167.97.31



ipaddress     
---------     
185.180.143.77



ipaddress      
---------      
112.132.123.233

Change this line:

Code: Select all

	$_ | Out-File $IDSIPList -Append -Encoding ASCII
To this:

Code: Select all

	$_.ipaddress | Out-File $IDSIPList -Append -Encoding ASCII

gotspatel
Normal user
Normal user
Posts: 148
Joined: 2013-10-08 05:42
Location: INDIA

Re: Hardening hMailServer - The ongoing saga!

Post by gotspatel » 2021-12-13 11:41

palinka wrote:
2021-12-10 16:17

Code: Select all

	$_.ipaddress | Out-File $IDSIPList -Append -Encoding ASCII
This Worked and Also I have integrated it in your Firewall ban Script

Post Reply