Security Suggestion

Discussion forum for Enterprise Edition.
Post Reply
sagelike
Posts: 284
Joined: Fri Feb 23, 2007 4:58 am

Security Suggestion

Post by sagelike » Thu Nov 01, 2018 6:23 pm

I've never been able to successfully use the 'Lock out user for one hour after' (even set to 35 failures) or Enable Abuse prevention.

When trying these in the past, I've always ran into problem where legitimate users were blocked so I've disabled them.

I wonder if security option could be added to block attacks on non-existent mailboxes. My domain gets hit continuously with everything from a....@ to z....@ and it never stops.

Just being able to block those hitting non-existent mailboxes with a threshold I can set would be a big help and should not interfere with genuine users.

Having more options on the other two security options might allow me to tweak it so it doesn't block legitimate users.

thx

rfwilliams777
Posts: 1312
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Security Suggestion

Post by rfwilliams777 » Sat Nov 03, 2018 1:58 am

If you have emails leaving your server with no domain or mailbox that you actually have, then you have your SMTP properties set to open so anyone can use your server to send email through. You need to set it up where only authenticated users (providing a legit email address and valid password) can send an email through your server.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

kiamori
Posts: 221
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Suggestion

Post by kiamori » Sun Nov 11, 2018 4:12 am

What sage is saying is currently the way ME blocks failed attempts works is to block any IP address that attempts to login to any account but fails # of times. This causes a lot of false positives.

Here is the issue with that,

Someone at a company puts in the wrong password into outlook, or they change a password but forget to update all devices. The device with the old IP address will cause all users using that IP address to be blocked until its been reset. This is a major issue for larger companies where you have hundreds of people using the same WAN IP address to authenticate.

A better method like Sage said is to block IP's when failed attmpts hit multiple non existant users. Another method would be to only block NEW IP's that fail to authenticate. For example,

IP#1 authenticates and is added to a pool of successful authenticators for that user account/domain/postoffice. In the future the IP would not be blocked if a user attempted to login but failed from that same IP address for that same account/domain/postoffice history should be configurable for a given time. This would need to be configurable for such as in some cases you would only want this function on a per user basis for cross user security rather than domain or post office wide to prevent cross user attempts to brute force another account..

rfwilliams777
Posts: 1312
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: Security Suggestion

Post by rfwilliams777 » Sun Nov 11, 2018 5:25 am

I agree with your suggestion and allow me to pose this situation in agreement with what I went through this past week. Mobile device travels all day and covers maybe 60+ miles in a circle eventually back to origin. In that time, there may had been 10-15 different towers each providing their own IP address to the mobile device. If a mobile device fails to successfully in fully connecting to the mail server throughout the whole fetch process due to issues of building structures or whatever, that device becomes locked. When it fails enough times, the account gets locked. Which caused my outlook to not work, I could not check the email with the webmail, and the device was blocked no matter what. As a result, it was locked so bad that I had to turn off that security and restart the server's services (I think I even rebooted the server), disable and re-enable my account, and a number of other things...just so I could check email. What is bad is how it locks the account in the process. What if "alleged" connections come from people attempting to force access into the account. They already have multiple IP addresses to try so they just keep poking until they get blocked but in the mean time, you get blocked due to a similar scenario I posed above.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

kiamori
Posts: 221
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Security Suggestion

Post by kiamori » Mon Feb 11, 2019 3:13 am

This really needs more attention so I'm going to bump it until Ian or another staff member has a chance to respond.

Post Reply