ME 10.32 vs. Country Authentication Restrictions

Discussions on webmail and the Professional version.
Post Reply
dedicate-it.net
Posts: 49
Joined: Mon Feb 22, 2021 8:30 pm

ME 10.32 vs. Country Authentication Restrictions

Post by dedicate-it.net »

My question is as follows:

When enabling Geo-restrictions for authentication and attack detection - does ME block the connection when it attempts the AUTH command or does it "block" the auth. command, which then still results in a pile of failed random login attempts that eventually still locks the account in question?

Reason being - we are being hassled by a ton of random IPs - they bang on the server for two or three attempts - to beat the rate limiting - then come back later - either from the same IP or different ones. We have enabled the geo-restrictions and it seems to have NO effect whatsoever (even after service restart). Additionally, with restrictions enabled, authentications are still permitted (via testing with VPN to over a dozen blocklisted countries.

Please advise --

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME 10.32 vs. Country Authentication Restrictions

Post by MailEnable-Ian »

Hi,

The authentication policy requires a connection in order for the AUTH command to be issued to the service. Therefore it will not prevent the connection but prevent the authentication. Have you enabled the "Abuse detection and prevention" option within the "Localhost" proprieties under the "Policies" tab? This will ban an IP address after 10 invalid AUTH attempts for one hour.

https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Regards,

Ian Margarone
MailEnable Support

dedicate-it.net
Posts: 49
Joined: Mon Feb 22, 2021 8:30 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dedicate-it.net »

Understood on the topology --

In re: Abuse Prevention -

The issue is that the offending IPs only send one or two auth requests per IP - then disappear for over an hour - then come back. They're keen to the rate-limiting feature - and time their hits based on a delay between repeated attempts. While this same behavior also prevents them from locking legitimate email accounts in the same fashion (too many repeated attempts) - it doesn't prevent against the slow-brute-force attacks that are happening.

In the essence that the GEO restrictions should prevent authentication, I find it interesting that when enabled, authentication from a "geo-restricted" IP is still possible and successful - but I will test further and bring logfiles for diagnosis.

At this point, I feel we will have to work on a third-party solution to geo-restrict connections to the mail server. As in - our mail server has no real business communicating with IPs outside North and Central America/Europe. None of our clients or operations do business or communicate with most far-east or even middle-east countries. I am understanding this is not how the GEO-restrict feature is implemented in ME - but rather, connection is allowed - then AUTH command prevented when IP defies acceptable rules.

In this case - it appears to be a network of compromised servers - there are approximately 50 IPs that are involved - several of them try to open up "common accounts" - others try to open up "known accounts that exist" - and most of them also attempt to login with a username wibbogup@<domainname>.<tld> (replace with chosen domain). Granted, this scenario is obviously not a ME problem, so I do thank you for your time on the matter.

rgomez
Posts: 27
Joined: Wed Mar 23, 2011 12:30 am

Re: ME 10.32 vs. Country Authentication Restrictions

Post by rgomez »

Hello,

I have this same problem. I have enabled the GEO authentication policies, to only allow authentication from certain countries, but I still get hammered on a daily basis from different IPs, so the IP blocking feature doesn't solve this issue. They haven't succeed in guess the password, maybe even the AUTH request is actually blocked with the GEO policies (although the message in the logs just says "Invalid Username or Password") but the issue is that I get enough requests that fail because of the invalid password that the account is locked for the legit users.

I have no way of knowing if the GEO policies are working or not as I can't see any message on the logs related to tha; I would expect that if there is an AUTH LOGIN from a blocked country then it should kill the connection at that point, or at the very least block the AUTH but without counting that attempt as a "valid" one that works towards the blocking of the account.

Right now I have to keep getting into the admin console to unlock the accounts several times a day... I have been adding the IPs and in some cases even the whole subnet of the offending IPs to my Firewall, but that's not a viable nor a permanent solution.

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dcol »

I have same issue. If anyone has come up a third party solution or criteria script, please post here

Admin
Site Admin
Posts: 1145
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: ME 10.32 vs. Country Authentication Restrictions

Post by Admin »

Hi,

The check for country restriction is done after the login is done. It needs to do this in order to determine the mailbox (i.e. needs to match the authentication details to a mailbox) in order to see whether the mailbox or postoffice has a country restriction on it, even if you have blocked at the global level. If you have the abuse detection enabled, it will kick in the sender will just get invalid logins and it will not get to the auth check or the country check. This will be a problem if you have the lockout on a mailbox after a certain number of failed logins, since the act of the auth lookup will cause the invalid login counter to increment. We recommend not using the mailbox lockout feature and rely on the abuse detection since it will lock out the connecting IP address instead of the mailbox. The problem with the mailbox lockout is that password changes can cause lockouts for valid users since it does not keep history of passwords in order to prevent the case of a client application using an older password until updated. We still intend to fix this the lockout working with the country blocking though.

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dcol »

I agree and have been stung by the lockout feature before.

dedicate-it.net
Posts: 49
Joined: Mon Feb 22, 2021 8:30 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dedicate-it.net »

I am working on an app that pulls the latest IP allocations from the main 5 main sources.

It will supernet ranges of countries you want to block that overlap so as to reduce the load of multiple firewall entries in WFP.

Basically, it will pull latest lists, let you choose "problem countries you want to block completely" and then take any ranges assigned to those countries, attempt to combine subnets that are adjacent, then give you chance to add rules to the Windows filtering platform (blocking the ports you choose) -- this will make a huge difference for me in the end personally.

Another utility I will be generating will be something that works as a connection proxy -- catching the incoming connections and doing a better job with the EHLO pattern blocking.

One of the major problems is botnets that will attempt logins to accounts from hundreds of IP addresses, but it's only one attempt per address, so it never triggers IP ban and if you turn off mailbox protection lockouts, then it's just a matter of time till they eventually pop the password.

dcol
Posts: 237
Joined: Fri May 26, 2017 11:25 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dcol »

I use OPNsense firewall, so what I did was restrict ports 465 and 993 to US only IP's using GeoIP_lite. Seems to work so far

Post Reply