Securing Dovecot Email Server

xml

xml

Active member
I'm running a LAMP VPS with AlmaLinux 8 and Apache, and I've installed a mail server using Postfix and Dovecot. Everything works fine for sending and receiving emails. However, I noticed that an intruder can establish a connection to Dovecot (e.g., using openssl s_client -connect mail.domain.com:993) and then brute force the username and password with unlimited attempts within the same live session.

Is there a configuration in Dovecot to terminate the current live session after 3 failed password attempts?
 
Can't fail2ban help with that? A quick google shows quite a few results for "fail2ban dovecot" - I've not done it myself, but that's probably the thing I'd check out first.
 
Sim said:
Can't fail2ban help with that? A quick google shows quite a few results for "fail2ban dovecot" - I've not done it myself, but that's probably the thing I'd check out first.
Click to expand...

Masetrix said:
With Plesk, easy to do.

Others...
www.makeuseof.com

How to Prevent Brute-Force Attacks on Linux Using Fail2ban

Reduce the chances of hackers gaining access to your Linux servers by installing and configuring Fail2ban.
www.makeuseof.com www.makeuseof.com
Click to expand...


Unfortunately Fail2Ban can take action starting from the second connection, but during the first live connection, Fail2Ban cannot intervene. That's why I am struggling to terminate the first connection
 
xml said:
Unfortunately Fail2Ban can take action starting from the second connection, but during the first live connection, Fail2Ban cannot intervene. That's why I am struggling to terminate the first connection
Click to expand...
Fail2Ban blocks IP addresses according to your settings.
For example, if you use the wrong password 3 times, the (source) IP is blocked.
 
Masetrix said:
Fail2Ban blocks IP addresses according to your settings.
For example, if you use the wrong password 3 times, the (source) IP is blocked.
Click to expand...
That's true for services like SSH, where after 3 failed attempts, the connection is terminated, and Fail2Ban blocks the IP on any subsequent connection attempts. Unfortunately, that's not the case with Dovecot. Dovecot doesn’t terminate the connection after a certain number of failed attempts, so Fail2Ban can't step in during the active session
 
xml said:
That's true for services like SSH, where after 3 failed attempts, the connection is terminated, and Fail2Ban blocks the IP on any subsequent connection attempts. Unfortunately, that's not the case with Dovecot. Dovecot doesn’t terminate the connection after a certain number of failed attempts, so Fail2Ban can't step in during the active session
Click to expand...
Hmmm.... (maxretry = 3)
 
xml said:
I'm running a LAMP VPS with AlmaLinux 8 and Apache, and I've installed a mail server using Postfix and Dovecot. Everything works fine for sending and receiving emails. However, I noticed that an intruder can establish a connection to Dovecot (e.g., using openssl s_client -connect mail.domain.com:993) and then brute force the username and password with unlimited attempts within the same live session.

Is there a configuration in Dovecot to terminate the current live session after 3 failed password attempts?
Click to expand...
You can prevent this by setting up SSL and requiring auth attempts over SSL only with

in /etc/postfix/main.cf

Code: 
smtpd_tls_auth_only = yes

Then restart postfix: service postfix restart

This doesn't present the AUTH option to the remote client after EHLO, so the spammers/hackers give up because establishing an SSL connection takes too much time.

If you have fail2ban installed, you can enable sasl (or sometimes called postfix-sasl) in your jail.local (or jail.d), and that should make the annoyances go away.

Code: 
## for me this is in /etc/fail2ban/jail.d/defaults-debian.conf
[postfix]
enabled = true

[postfix-sasl]
enabled = true
 
xml said:
Dovecot doesn’t terminate the connection after a certain number of failed attempts, so Fail2Ban can't step in during the active session
Click to expand...
Hmm, it should't really matter if Dovecot is able to terminate a session or not, as long as Dovecot does log every failed attempt (including multiple failed attempts within one session) Fail2Ban can be used to action this:
The "trick" would be to inject firewall rules that are executed before packets on already established connections are accepted and to reject or drop those packets.
Might (will) require custom config and may not be terribly efficient, but should work.

A (probably simpler) alternative to mitigate password brute forcing attempts might be https://doc.dovecot.org/main/core/config/auth/penalty.html
 
DotWeb said:
smtpd_tls_auth_only = yes
Click to expand...
That directive is for postfix while the command "openssl s_client -connect mail.domain.com:993" is specifically for testing the connection to the Dovecot mail server using the IMAPS protocol which operates over port 993
 
Kirby said:
Hmm, it should't really matter if Dovecot is able to terminate a session or not, as long as Dovecot does log every failed attempt (including multiple failed attempts within one session) Fail2Ban can be used to action this:
The "trick" would be to inject firewall rules that are executed before packets on already established connections are accepted and to reject or drop those packets.
Might (will) require custom config and may not be terribly efficient, but should work.

A (probably simpler) alternative to mitigate password brute forcing attempts might be https://doc.dovecot.org/main/core/config/auth/penalty.html
Click to expand...
The easy solution I use is:
1. /etc/dovecot/conf.d/10-auth.conf
Code: 
# Time to delay before replying to failed authentications.
auth_failure_delay = 20
This will make brute force attacks harder by slowing them down by increasing the number of seconds bitween login attempts in the same live session connection

2. strong password
 
You must log in or register to reply here.

Similar threads

Digital Jedi
  • Question Question
XF 2.2 Email Server Error
Replies
3
Views
669
Scratched
S
yuzh0816
  • Question Question
XF 2.2 Email Server Error
Replies
8
Views
1K
TPerry
TPerry
Wesker
Other XenForo Email Server Configuration
Replies
2
Views
1K
TPerry
TPerry
DiscussionBucks
  • Question Question
XF 2.2 Server Error Log (Email Related)
Replies
10
Views
575
TPerry
TPerry
oldford
  • Question Question
XF 2.2 After moving to a new server email notifications not being sent
Replies
3
Views
792
Muddy Boots
Muddy Boots
Back
Top Bottom