Hardening hMailServer - The ongoing saga!

This section contains user-submitted tutorials.
udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-04-29 17:32

Hey palinka,
perhaps you can help me by another question.

Can i exclude IPs from beeing checked from the script? Like whitelisting or so?
If it's possible, how can i do this?


Thank you!

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-04-29 21:10

udgesbou wrote:
2022-04-29 17:32
Hey palinka,
perhaps you can help me by another question.

Can i exclude IPs from beeing checked from the script? Like whitelisting or so?
If it's possible, how can i do this?


Thank you!
Sure. There's a couple of ways.

First, always exclude local mail and backup from tests that should be for incoming mail, or tests for untrusted IPs.

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-04-30 16:11

palinka wrote:
2022-04-29 21:10
Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.
Yeah this is what i am looking for.

Do i have to put this in "Eventhandler.vbs" or "Handler.vbs"?
And where can i define the whitelisted IPs, for example 94.105.266.80?


Thanks :)

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-04-30 19:18

udgesbou wrote:
2022-04-30 16:11
palinka wrote:
2022-04-29 21:10
Secondly, I made a whitelisting function to check IPs against WL-RBLs. This requires RvdH's DNS Resolver: https://d-fault.nl/files

Code: Select all

Function IsWhitelisted(strIP) : IsWhitelisted = False

	Dim a : a = Split(strIP, ".")
	Dim strLookup, strRegEx
	Dim IsWLMailSpike, IsWLHostKarma, IsWLNSZones, IsWLSPFBL, IsWLSpamDonkey, IsWLIPSWhitelisted
	
	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".rep.mailspike.net")
	End With
	strRegEx = "^127\.0\.0\.(19|20)$" '18=Good, 19=Very Good, 20=Excellent Reputation
	IsWLMailSpike = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	strRegEx = "^127\.0\.0\.(1|5)$" '1=Good, 5=NoBL
	IsWLHostKarma = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".wl.nszones.com")
	End With
	strRegEx = "^127\.0\.0\.5$" '5=whitelisted
	IsWLNSZones = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnswl.spfbl.net")
	End With
	strRegEx = "^127\.0\.0\.(2|3|4|5)$" '2=excellent rep, 3=indispensable public service, 4=corp email (no marketing), 5=safe bulk mail
	IsWLSPFBL = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".dnsbl.spamdonkey.com")
	End With
	strRegEx = "^126\.0\.0\.0$" '126.0.0.0=whitelisted
	IsWLSpamDonkey = Lookup(strRegEx, strLookup)

	With CreateObject("DNSLibrary.DNSResolver")
		strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ips.whitelisted.org")
	End With
	strRegEx = "^127\.0\.0\.2$" '2=whitelisted
	IsWLIPSWhitelisted = Lookup(strRegEx, strLookup)

	If (IsWLMailSpike OR IsWLHostKarma OR IsWLNSZones OR IsWLSPFBL OR IsWLSpamDonkey OR IsWLIPSWhitelisted) Then ISWhitelisted = True

End Function


If NOT(IsWhitelisted(strIP)) Then
	'
	' do stuff here to non-whitelisted IPs
	'
End If

-- or - like above --

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub ' junkemailfilter.com backup mx
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	If IsWhitelisted(strIP) Then Exit Sub

I use the IsWhitelisted function to exclude from geoip testing with the idea that I can ban many countries with geoip, but still allow whitelisted IPs from banned countries through.
Yeah this is what i am looking for.

Do i have to put this in "Eventhandler.vbs" or "Handler.vbs"?
And where can i define the whitelisted IPs, for example 94.105.266.80?


Thanks :)
It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-04-30 20:37

palinka wrote:
2022-04-30 19:18
It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.
Okay, but i one IP i want to exclude from checking.
udgesbou wrote:
2022-04-30 16:11
And where can i define the whitelisted IPs, for example 94.105.266.80?
Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-05-01 00:22

udgesbou wrote:
2022-04-30 20:37
palinka wrote:
2022-04-30 19:18
It goes in eventhandlers.vbs.

YOU don't define anything. These are public RBLs doing the checking for you. They define their own whitelists.
Okay, but i one IP i want to exclude from checking.
udgesbou wrote:
2022-04-30 16:11
And where can i define the whitelisted IPs, for example 94.105.266.80?
Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings
Yes.

tunis
Senior user
Senior user
Posts: 332
Joined: 2015-01-05 20:22
Location: Sweden

Re: Hardening hMailServer - The ongoing saga!

Post by tunis » 2022-05-03 11:56

udgesbou wrote:
2022-04-30 20:37

Is this what i have to do?

Code: Select all

Sub OnClientConnect(oClient)

	REM - Exclude Backup-MX & local LAN from test
	If (Left(oClient.IPAddress, 12) = "94.105.266.80") Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
	If (Left(oClient.IPAddress, 11) = "192.168.22.") Then Exit Sub  ' local LAN
	If oClient.IPAddress = "127.0.0.1" Then Exit Sub                ' localhost
	
	'
	' Continue processing incoming connections
	'

End Sub

Greetings
For specific IP use

Code: Select all

If oClient.IPAddress = "94.105.266.80" Then Exit Sub ' MY IP THAT I WANT TO EXLUDE
Left are only used for ranges (length of charts to compare from left)
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2602.53 on Windows Server 2016 Core VM.

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 13:00

Hey,
since two days i can't connect to my hMailServer via Outlook, Android Mail or so.

I think one reason could be my geoblocking. I only allowed ip addresses from germany.

But in my "hmailserver_events.log" i only get these results:

Code: Select all

12260	"2022-12-06 11:14:24.036"	"- GeoLookup(60.217.75.70) = zz"
4252	"2022-12-06 11:43:14.268"	"- GeoLookup(91.15.34.229) = zz"
4252	"2022-12-06 11:43:34.471"	"- GeoLookup(80.187.102.198) = zz"
The hmailserver.log looks like this at 11:43:14:

Code: Select all

"DEBUG"	4252	"2022-12-06 11:43:14.236"	"Creating session 38"
"TCPIP"	4252	"2022-12-06 11:43:14.252"	"TCP - 91.15.34.229 connected to MYIPADDRESS:465."
"DEBUG"	4252	"2022-12-06 11:43:14.252"	"Executing event OnClientConnect"
"DEBUG"	4252	"2022-12-06 11:43:14.268"	"Event completed"
"DEBUG"	4252	"2022-12-06 11:43:14.268"	"Ending session 37"
I only got "zz". I tried it from differet IPs from Germany, but i only got "zz" and not "de". It is since the 04.12.2022.

Can anyone help me, how i can fix that?


Thanks in advance :D

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:15

Looks like countries.nerd.dk has some issue, might be temporary or maybe it is permanently gone (don't think it was maintained actively anyway)

; <<>> DiG 9.16.34 <<>> 100.232.204.81.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47380
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 98c1cb9aed04b11101000000638f23d8396910e6ca9806ce (good)
;; QUESTION SECTION:
;100.232.204.81.zz.countries.nerd.dk. IN TXT

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:13:28 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 92



Maybe you could substitute it with country.junkemailfilter.com?

; <<>> DiG 9.16.34 <<>> 100.232.204.81.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ebb327ea90df677401000000638f2515af071c78656b0bd3 (good)
;; QUESTION SECTION:
;100.232.204.81.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
100.232.204.81.country.junkemailfilter.com. 21600 IN TXT "nl"

;; Query time: 1633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:18:45 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 114
Last edited by RvdH on 2022-12-06 13:19, edited 1 time in total.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 13:18

RvdH wrote:
2022-12-06 13:15
Looks like countries.nerd.dk has some issue, might be temporary or maybe it is permanently gone (don't think it was maintained actively anyway)

; <<>> DiG 9.16.34 <<>> 100.232.204.81.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47380
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 98c1cb9aed04b11101000000638f23d8396910e6ca9806ce (good)
;; QUESTION SECTION:
;100.232.204.81.zz.countries.nerd.dk. IN TXT

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:13:28 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 92
Oh okay, thanks for your very fast research and reply.

Is there any alternatie known which could possibly use? :(


EDIT:
RvdH wrote:
2022-12-06 13:15
Maybe you could substitute it with country.junkemailfilter.com?

; <<>> DiG 9.16.34 <<>> 100.232.204.81.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ebb327ea90df677401000000638f2515af071c78656b0bd3 (good)
;; QUESTION SECTION:
;100.232.204.81.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
100.232.204.81.country.junkemailfilter.com. 21600 IN TXT "nl"

;; Query time: 1633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:18:45 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 114
Oh this could be an option, so i have to change "zz.countries.nerd.dk" to "country.junkemailfilter.com"?

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:22

I think there is a slight difference between them for England, if i remember right is discovered by countries.nerd.dk as "uk" whereas country.junkemailfilter.com returns "gb" (might be more irregularities)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:23

udgesbou wrote:
2022-12-06 13:18
Oh this could be an option, so i have to change "zz.countries.nerd.dk" to "country.junkemailfilter.com"?
Yep, that should be enough
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 13:32

RvdH wrote:
2022-12-06 13:22
I think there is a slight difference between them for England, if i remember right is discovered by countries.nerd.dk as "uk" whereas country.junkemailfilter.com returns "gb" (might be more irregularities)
Okay, but i would only allow connections from germany anyway, so i would only need the return for germany. Is it possible to research this somewhere? Or is it "de"?
RvdH wrote:
2022-12-06 13:23
Yep, that should be enough
Okay so it should look like this?:
EventHandlers.vbs

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & "country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub
Or should it be called something else? ".zz.country.junkemailfilter.com"?

This is the actuall EventHandlers.vbs:

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub
Last edited by udgesbou on 2022-12-06 13:37, edited 2 times in total.

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:35

it is "de"

; <<>> DiG 9.16.34 <<>> 229.34.15.91.country.junkemailfilter.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37014
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7129c829559b875901000000638f28e333e400f7fa7c13bd (good)
;; QUESTION SECTION:
;229.34.15.91.country.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
229.34.15.91.country.junkemailfilter.com. 21600 IN TXT "de"

;; Query time: 281 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 06 12:34:59 W. Europe Standard Time 2022
;; MSG SIZE rcvd: 112
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:43

Country Code List
Junk Email Filter now provides a country code IP lookup. Just used the standard IP lookup (reversed) and read the TXT record and it returns a 2 character country code.

4.3.2.1.country.junkemailfilter.com TXT
Return code of "zz" means the country is unknown.
https://wiki.junkemailfilter.com/index. ... _DNS_Lists
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 13:44

RvdH wrote:
2022-12-06 13:35
it is "de"
Thank you!

I tried this EventHandlers.vbs Config, but the result is still "zz" :(

Code: Select all

Function GetDatabaseObject()
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Set GetDatabaseObject = oApp.Database
End Function

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
   '
   '   Only test SMTP traffic on defined ports 25, 587 and 465.
   '   Register IP address in IDS registry.
   '
   If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

'* Sub OnHELO(oClient)
'* End Sub
I tried it with different german-IPs :(

Or it ".zz.country.junkemailfilter.com" the wrong address?

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 13:54

Yes, read above
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 14:04

RvdH wrote:
2022-12-06 13:43
4.3.2.1.country.junkemailfilter.com TXT
So i have to use this "4.3.2.1.country.junkemailfilter.com TXT" or "4.3.2.1.country.junkemailfilter.com"?

I read also in Wiki, but i am a big noob in such things :(

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 14:09

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 14:18

RvdH wrote:
2022-12-06 14:09

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
OMG, now it works, i can connect to my hMailServer :idea: :idea: :!: :!:
Thank you very very much for for help and your patience.

In hmailserver_events.log i got still the result "zz", but i can connects and receive and send mails. I dont know why i got no "de" as result?

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 15:39

udgesbou wrote:
2022-12-06 14:18
RvdH wrote:
2022-12-06 14:09

Code: Select all

   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
OMG, now it works, i can connect to my hMailServer :idea: :idea: :!: :!:
Thank you very very much for for help and your patience.

In hmailserver_events.log i got still the result "zz", but i can connects and receive and send mails. I dont know why i got no "de" as result?
That sounds weird, did you reload scripts?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 15:53

Ah, i see... EventLog.Write is only called when none or multiple entries are returned.... not for successful lookups

Not even sure if multiple is possible here, the lookup against nerds.dk had the odd behavior to sometimes return multiple results, example: "nl" and "eu"
Last edited by RvdH on 2022-12-06 15:55, edited 1 time in total.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 15:55

RvdH wrote:
2022-12-06 14:09
That sounds weird, did you reload scripts?
Yeah, I reload Scripts and restart hmailserver, but still result "zz" :(
RvdH wrote:
2022-12-06 15:53
Ah, i see... EventLog.Write is only called when none or multiple entries are returned.... not for successful lookups

Not even sure if multiple is possible here, the lookup against nerds.dk had the odd behavior to sometimes return multiple results, example: "nl" and "eu"
Oh dear, I don't know what that mean :(

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 15:58

It only logs failures as said before, if you like to log successful lookups change the function like:

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

udgesbou
Normal user
Normal user
Posts: 38
Joined: 2021-04-05 19:33
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by udgesbou » 2022-12-06 17:07

RvdH wrote:
2022-12-06 15:58
It only logs failures as said before, if you like to log successful lookups change the function like:

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function
That works pretty well, thank you very very much my friend :wink: :idea:

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-06 20:29

👍
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22154
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Hardening hMailServer - The ongoing saga!

Post by mattg » 2022-12-09 02:55

SorenR wrote:
2019-01-28 17:09
ActiveX object DNSLibrary can be obtained from https://d-fault.nl/files/DNSResolverCom ... .3.exe.zip
Link is broken

I see that RvdH has listed newer versions
https://d-fault.nl/files
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-09 13:08

mattg wrote:
2022-12-09 02:55
SorenR wrote:
2019-01-28 17:09
ActiveX object DNSLibrary can be obtained from https://d-fault.nl/files/DNSResolverCom ... .3.exe.zip
Link is broken

I see that RvdH has listed newer versions
https://d-fault.nl/files
I created a redirect DNSResolverComponent_1.3.exe.zip to DNSResolverComponent_1.3.1.2.exe.zip

DNSResolverComponent_1.3.1.2 uses UDP and requires .NET 3.5 (using HeijdenDNS)
DNSResolverComponent_1.4.1.2 uses TCP and requires .NET 4.5 (using HeijdenDNS)
DNSResolverComponent_1.4.5.0 is a complete rewrite with more options, eg: you can choose bewteen UDP and TCP, TCP fallback, set UDP packet size and requires .NET 4.5 (using DnsClient.NET)

(i think :) )



1.4.5.0
This object has 28 public functions:

-- SetTimeout(<int [1-10]>) * default 1
-- SetRetries(<int [1-10]>) * default 3
-- SetRecursion(<bool>) * default true
-- SetServer(<string IPv4 or IPv6>) * default none
-- SetEdnsPacketSize(<int [512-4096]>) * default 4096
-- SetTcpFallback(<bool>) * default true
-- SetTcpOnly(<bool>) * default false

-- GetTimeout() * returns Timeout value
-- GetRetries() * returns Retries value
-- GetRecursion() * returns Recursion value
-- GetServer() * returns Server value (if any)
-- GetEdnsPacketSize() * returns edns packet size value
-- GetTcpFallback() * returns TCPFallback value
-- GetTcpOnly() * returns TCPOnly value

-- Version() * returns the version number
-- Help() * shows this help
-- IPv4A(<Domain name>) * query IPv4 A-Record(s)
-- A(<Domain name>) * same as IPv4A (deprecated)
-- DNSLookup(<Domain name>) * same as IPv4A (deprecated)
-- IPv6A(<Domain name>) * query IPv6 A-Record(s)
-- AAAA(<Domain name>) * same as IPv6A (deprecated)
-- CAA(<Domain name>) * query CAA-Record
-- CNAME(<Domain name>) * query CNAME-Record(s)
-- MX(<Domain name>) * query MX-Record(s)
-- NS(<Domain name>) * query NS-Record(s)
-- PTR(<IP address>) * query PTR-Record
-- SOA(<Domain name>) * query SOA-Record
-- TXT(<Domain name>) * query TXT-Record(s)
Example:

Code: Select all

Private Const DnsServer = "127.0.0.1"
Private Const DnsExtendedDnsBufferSize = 1232
Private Const DnsTimeOut = 5
Private Const DnsRetries = 2


With CreateObject("DNSLibrary.DNSResolver")
    .SetServer(DnsServer)
    .SetEdnsPacketSize(DnsExtendedDnsBufferSize)
    .SetTimeout(DnsTimeOut)
    .SetRetries(DnsRetries)
    strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
End With
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Jorgo
Normal user
Normal user
Posts: 30
Joined: 2018-01-21 19:54
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by Jorgo » 2022-12-17 23:11

Too sad about countries.nerd.dk, but there seems to be an alternative for country blocking with country.junkemailfilter.com

Unfortunately, I am not as sophisticated as many here so I have to take little baby steps in how I change my setup. I'm gathering that I cannot simply swap out my country-based DNS blacklists in hmailserver by replacing, say "cn.countries.nerd.dk" by "country.junkemailfilter.com". One is testing for a country and if the result is "yes" then the message is rejected whereas with country.junkemailfilter.com there are no predefined IP blocks so the answer to the query is not "yes" nor "no" but "country".

Hm. So what you are doing now is letting a script do the lifting of getting the country first and then checking the result against white- or black-listed countries in your own config? That would be the way for me, unfortunately I cannot simply allow connections from country but need a few more as well as to not shut out Goggle, Hootmail, etc. Perferably, white-listing should be used and all other countries rejected. However, I have no idea how to use external programs for this, like the "resolver". Could someone give me a pointer where I can read up on this? I'm not running hmailserver on Windows server though, just a workstation.

Jorgo
Normal user
Normal user
Posts: 30
Joined: 2018-01-21 19:54
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by Jorgo » 2022-12-17 23:26

The inbuilt DNS blacklist thing is really great, though, as it let's you use finegrained reactions via scoring. Too bad country.junkemailfilter.com can't be used with that directly!

Edit: Hang on, hang on... I feel a tingle in my toes...

Is this supposed to work?

Imagehttps://imgur.com/a/siuEk9s

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-12-18 00:39

Jorgo wrote:
2022-12-17 23:26
The inbuilt DNS blacklist thing is really great, though, as it let's you use finegrained reactions via scoring. Too bad country.junkemailfilter.com can't be used with that directly!

Edit: Hang on, hang on... I feel a tingle in my toes...

Is this supposed to work?

Imagehttps://imgur.com/a/siuEk9s
No, that won't work because the answer will be an IP address like 127.0.0.2. The reply will be NX domain always.

If you can make a query work using nslookup, then it will work as a custom dnsbl like you tried to do with it.

Your best bet is to try to make the script above work, or if you prefer using local query with mysql, then you can check this one out: viewtopic.php?f=9&t=34496

Jorgo
Normal user
Normal user
Posts: 30
Joined: 2018-01-21 19:54
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by Jorgo » 2022-12-18 00:56

Thanks, you seem to be on top of it. Although I'm running MySQL in MariaDB flavour, the thread you referenced unfortunately is very long, still seems to be ongoing and I can't make out which post contains the complete final script. Probably should be in .sql format so it could be imported into the database but all that is a bit over my head.

Jorgo
Normal user
Normal user
Posts: 30
Joined: 2018-01-21 19:54
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by Jorgo » 2022-12-18 16:28

OK, I've got logging working, same as @udgesbou above. Now I would like to immediately disconnect any country not in my whitelist. In his script I see

Code: Select all

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   '
   '   Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   '   zz = N/A, dk = Denmark, gl = Greenland, fo = Faroe Islands
   '
   If (oClient.Port <> 25) Then
      If (InStr("de", GeoLookup(oClient.IPAddress)) = 0) Then
         '
         '   Add unauthorized access to IDS registry
         '
         Call idsAddIP(oClient.IPAddress, oClient.Port)
         Result.Value = 1
         Exit Sub
      End If
   End If
that "Only allow Danish Realm" is commented but then it seems to target only "de". I guess I would expand the country list like

Code: Select all

    If (InStr("de|us|fr"", GeoLookup(oClient.IPAddress)) = 0) Then
Also, for the Call to idsAddIP I guess I have to backtrack to @SorenR 's original concept from 2019 and start experimenting...

Jorgo
Normal user
Normal user
Posts: 30
Joined: 2018-01-21 19:54
Location: Germany

Re: Hardening hMailServer - The ongoing saga!

Post by Jorgo » 2022-12-18 17:35

Alright, does anyone spot syntax errors or call nonsense?

Code: Select all

Function GeoLookup(strIP) : GeoLookup = "zz"
   Dim a, element, group, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".country.junkemailfilter.com")
   End With
   If Trim(strLookup) = "" Then
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & GeoLookup )
      Exit Function
   End If
   group = Split(strLookup, vbCrLf)
   If UBound(group) > 0 Then
      For Each element In group
         If (Trim(element) <> "") Then EventLog.Write( "- GeoLookup(" & strIP & ") = " & element )
      Next
   Else
      EventLog.Write( "- GeoLookup(" & strIP & ") = " & group(0))
      GeoLookup = group(0)
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
   '   Autoban unwanted countries for 1 day
   '
   '   1. Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 12) = "MYIPADDRESS") Then Exit Sub ' MEDIUM Cloud
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' Local
   If (Left(oClient.IPAddress, 10) = "192.168.1.") Then Exit Sub
   If (Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub
   '
   '   2. Only allow non-SMTP connections from some countries (remember where you might be in your holidays + VPN!)
   '   Examples: zz = N/A, de = Germany, us = USA, nl = Holland, be = Belgium, fr = France, at = Austria, ch = Switzerland
   '
   If (oClient.Port <> 25) Then
      If (InStr("de|us|at", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         EventLog.Write(oClient.IPAddress & vbTab & oClient.Port)
         Call AutoBan(oClient.IPAddress, "InStr" & oClient.Port, 1, "d")
         Exit Sub
      End If
   End If
   '
   '   3. Only allow SMTP connections from some countries (breaking RFC)
   '
   If (oClient.Port = (25|587|465)) Then
      If (InStr("de|us|be|nl|fr|at|ch)", GeoLookup(oClient.IPAddress)) = 0) Then
         Result.Value = 1
         EventLog.Write(oClient.IPAddress & vbTab & oClient.Port)
         Call AutoBan(oClient.IPAddress, "InStr" & oClient.Port, 1, "d")
         Exit Sub
      End If
   End If
   '
End Sub

Sub AutoBan(sIPAddress, sReason, iDuration, sType)
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMINISTRATOR, MYPASSWORD)
    With LockFile(oApp.Settings.Directories.TempDirectory & "\autoban.lck")
       On Error Resume Next
       oApp.Settings.SecurityRanges.Refresh
       If (oApp.Settings.SecurityRanges.ItemByName("Auto-ban: (" & sReason & ") " & sIPAddress) Is Nothing) Then
          With oApp.Settings.SecurityRanges.Add
             .Name = "Auto-ban: (" & sReason & ") " & IPAddress
             .LowerIP = sIPAddress
             .UpperIP = sIPAddress
             .Priority = 20
             .Expires = True
             .ExpiresTime = DateAdd(sType, iDuration, Now())
             .Save
          End With
       End If
       On Error Goto 0
       .Close
    End With
End Sub

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-18 21:34

my experience, country.junkemailfilter.com is not that accurate, i had several NL based IP's being blocked

https://github.com/RvdHout/GeoLite2SQL (basically the same as https://github.com/palinkas-jo-reggelt/GeoLite2SQL, but with original database format/column names and MySQL.Data.dll embedded)
https://www.hmailserver.com/forum/viewt ... 67#p244167
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-12-19 09:49

I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't. :D

User avatar
RvdH
Senior user
Senior user
Posts: 2483
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Hardening hMailServer - The ongoing saga!

Post by RvdH » 2022-12-19 10:46

palinka wrote:
2022-12-19 09:49
I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't. :D
Good one, better now?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 3838
Joined: 2017-09-12 17:57

Re: Hardening hMailServer - The ongoing saga!

Post by palinka » 2022-12-19 14:59

RvdH wrote:
2022-12-19 10:46
palinka wrote:
2022-12-19 09:49
I had a peek at your code and noticed something. I was going to post an issue on your github but issues don't seem to be available on this repository. Anyway:

https://github.com/RvdHout/GeoLite2SQL/ ... L.ps1#L210

You should change the url to your own github address because if you make changes, no one that has downloaded it will know. And if I make changes, your downloaders will think there was an update when there wasn't. :D
Good one, better now?
Yeah, looks good. Address resolves properly. Don't forget to update version.txt when you make updates.

I wonder if there's some github api function that can do this automatically. :?:

Post Reply