POP before SMTP ... Sort of...

[SorenR]

Probably a completely useless function but here it goes.

I Run a pretty locked down server only open to IMAP/SMTP connections from a limited number of TLD's and a very agressive IDS system.

I have one account that enjoys traveling, she's on the Seychelles right now and as usual I'm told last minute so I was away from home when she needed to _send_ an email... When she's at home I have her residential IP address running same IP Range priority as my internal LAN (Un-bannable )

She's using (Cr)Apple gear and 9 of 10 times her email client triggers my IDS system and bans the IP address. This function creates a temporary IP range for a specific IP address with a priority of 40 for a period of 48 hours when sucessfully authenticating on the server.

Code: Select all

'      enum RangeOptions
'      {
'   *     IPRANGE_ALLOW_SMTP = 1,
'         IPRANGE_ALLOW_POP3 = 2,
'   *     IPRANGE_ALLOW_IMAP = 8,
'         //IPRANGE_REQUIRE_SMTP_AUTH_ONLY_EXTERNAL = 16,
'         //IPRANGE_REQUIRE_SMTP_AUTH = 32,
'   *     IPRANGE_RELAY_LOCAL_TO_LOCAL = 64,
'   *     IPRANGE_RELAY_LOCAL_TO_REMOTE = 128,
'         IPRANGE_RELAY_REMOTE_TO_LOCAL = 256,
'         IPRANGE_RELAY_REMOTE_TO_REMOTE = 512,
'   *     IPRANGE_SPAM_PROTECTION = 1024,
'         // IPRANGE_FORWARDING_RELAY = 2048, -- no longer used, as of 5.1. stored in separate object.
'   *     IPRANGE_VIRUS_PROTECTION = 4096,
'   *     IPRANGE_SMTP_AUTH_LOCAL_TO_LOCAL = 8192,
'   *     IPRANGE_SMTP_AUTH_LOCAL_TO_EXTERNAL = 16384,
'         IPRANGE_SMTP_AUTH_EXTERNAL_TO_LOCAL = 32768,
'         IPRANGE_SMTP_AUTH_EXTERNAL_TO_EXTERNAL = 65536,
'
'   *     IPRANGE_REQUIRE_TLS_FOR_AUTH = 131072
'      };

'  Table              Create Table                                           
'  -----------------  -------------------------------------------------------
'  hm_securityranges  CREATE TABLE hm_securityranges (                     
'                       rangeid int(11) NOT NULL AUTO_INCREMENT,           
'                       rangepriorityid int(11) NOT NULL,                  
'                       rangelowerip1 bigint(20) NOT NULL,                 
'                       rangelowerip2 bigint(20) DEFAULT NULL,             
'                       rangeupperip1 bigint(20) NOT NULL,                 
'                       rangeupperip2 bigint(20) DEFAULT NULL,             
'   160969              rangeoptions int(11) NOT NULL,                     
'                       rangename varchar(100) NOT NULL,                   
'                       rangeexpires tinyint(4) NOT NULL,                  
'                       rangeexpirestime datetime NOT NULL,                
'                       PRIMARY KEY (rangeid),                             
'                       UNIQUE KEY rangeid (rangeid),                    
'                       UNIQUE KEY rangename (rangename)                 
'                     ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8  

Code: Select all

Function IMAPBeforeSMTP(sIPAddress, sReason, iDuration, sType) : IMAPBeforeSMTP = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    Dim iUniqueID, strSQL, strDate, SQLDate, oDB : Set oDB = oApp.Database
    strDate = DateAdd(sType, iDuration, Now())
    strSQL = "INSERT INTO hm_securityranges (rangepriorityid, rangelowerip1, rangeupperip1, rangeoptions, rangename, rangeexpires, rangeexpirestime)" & _
             " VALUES (40, INET_ATON('" & sIPAddress & "'), INET_ATON('" & sIPAddress & "'), 160969, '(" & sReason & ") " & sIPAddress & "', 1, STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s'))" & _
             " ON DUPLICATE KEY UPDATE rangeexpirestime = STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s');"
    iUniqueID = oDB.ExecuteSQLWithReturn(strSQL)
    If iUniqueID > 0 Then IMAPBeforeSMTP = True
    oApp.Settings.SecurityRanges.Refresh
    Set oApp = Nothing
End Function

'
'   Main script code ...
'
If oClient.Authenticated Then _
    Call IMAPBeforeSMTP(oClient.IPAddress, oClient.Username, 48, "h")

[palinka]

Sorry for taking this somewhat off topic, but I had to abandon IDS because I was getting so many false positives. It worked great on my server when it was a physical box located in my house, but when I moved (house) last year I moved my server to a VPS and that's when IDS started giving me false positives. I have no idea why so many connections get dropped and have to retry. Any clues? I'm totally stumped.

[SorenR]

Sorry for taking this somewhat off topic, but I had to abandon IDS because I was getting so many false positives. It worked great on my server when it was a physical box located in my house, but when I moved (house) last year I moved my server to a VPS and that's when IDS started giving me false positives. I have no idea why so many connections get dropped and have to retry. Any clues? I'm totally stumped.

False positives? How?

[palinka]

Sorry for taking this somewhat off topic, but I had to abandon IDS because I was getting so many false positives. It worked great on my server when it was a physical box located in my house, but when I moved (house) last year I moved my server to a VPS and that's when IDS started giving me false positives. I have no idea why so many connections get dropped and have to retry. Any clues? I'm totally stumped.

False positives? How?

What I meant was a lot of legitimate connections got banned where they were not getting banned before. Both hmailserver users and incoming mail. My own PC mail client was banned very often. For some reason, the connections were dropped and not completing sometimes, therefore no IP delete and then getting banned after a few of those unfinished transactions. I reduced the expiry period to 1 hour (3 hits in 1 hour) and it didn't help.

[SorenR]

Sorry for taking this somewhat off topic, but I had to abandon IDS because I was getting so many false positives. It worked great on my server when it was a physical box located in my house, but when I moved (house) last year I moved my server to a VPS and that's when IDS started giving me false positives. I have no idea why so many connections get dropped and have to retry. Any clues? I'm totally stumped.

False positives? How?

What I meant was a lot of legitimate connections got banned where they were not getting banned before. Both hmailserver users and incoming mail. My own PC mail client was banned very often. For some reason, the connections were dropped and not completing sometimes, therefore no IP delete and then getting banned after a few of those unfinished transactions. I reduced the expiry period to 1 hour (3 hits in 1 hour) and it didn't help.

Ah well... It IS a requirement that you have a stable IP network. Perhaps it is the result of a poor virtualisation set-up. (= crappy hosting)

[palinka]

False positives? How?

What I meant was a lot of legitimate connections got banned where they were not getting banned before. Both hmailserver users and incoming mail. My own PC mail client was banned very often. For some reason, the connections were dropped and not completing sometimes, therefore no IP delete and then getting banned after a few of those unfinished transactions. I reduced the expiry period to 1 hour (3 hits in 1 hour) and it didn't help.

Ah well... It IS a requirement that you have a stable IP network. Perhaps it is the result of a poor virtualisation set-up. (= crappy hosting)

Yes, that is very true. Its very crappy. I guess I'll have to wait until I move into my new house (under renovation) and then I can set up my trusty old basement server. This time in the attic. Moving up in the world!

[RvdH]

What I meant was a lot of legitimate connections got banned where they were not getting banned before. Both hmailserver users and incoming mail. My own PC mail client was banned very often. For some reason, the connections were dropped and not completing sometimes, therefore no IP delete and then getting banned after a few of those unfinished transactions. I reduced the expiry period to 1 hour (3 hits in 1 hour) and it didn't help.

Ah well... It IS a requirement that you have a stable IP network. Perhaps it is the result of a poor virtualisation set-up. (= crappy hosting)

Yes, that is very true. Its very crappy. I guess I'll have to wait until I move into my new house (under renovation) and then I can set up my trusty old basement server. This time in the attic. Moving up in the world!

When (where) do you Call idsDelIP(oClient.IPAddress)?

i use 2 occurrences, eg:

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated Then
		Call idsDelIP(oClient.IPAddress)
	End If
End Sub

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
	Call idsDelIP(oClient.IPAddress)
End Sub

[palinka]

Ah well... It IS a requirement that you have a stable IP network. Perhaps it is the result of a poor virtualisation set-up. (= crappy hosting)

Yes, that is very true. Its very crappy. I guess I'll have to wait until I move into my new house (under renovation) and then I can set up my trusty old basement server. This time in the attic. Moving up in the world!

When (where) do you Call idsDelIP(oClient.IPAddress)?

i use 2 occurrences, eg:

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated Then
		Call idsDelIP(oClient.IPAddress)
	End If
End Sub

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
	Call idsDelIP(oClient.IPAddress)
End Sub

Me too in the same locations.

[SorenR]

idsAdd -> OnClientConnect() ... After special execptions and if NOT private IP.

idsDel -> OnClientLogon() ... If Authenticated then ...
idsDel -> OnAcceptMessage() ... Before all the white/blacklisting and what not.

[palinka]

idsDel -> OnAcceptMessage() ... Before all the white/blacklisting and what not.

hmmm... I had it twice in OnAcceptMessage.

1) At the beginning, if IP exempt from inspection or transaction not on port 25, then call IDS del.

2) At the very end with the logic that if you successfully pulled off your Indian Jones escape act through my blow darts, punji stick pits and rolling boulders anti-spam maze, then the message is actually considered legit enough to not consider you a nuisance.

But I think in my case you were right about the unstable internet from my cheap vps provider.