Thanks all for the ideas ... I'm on the case...
I have a PHP back-end under Nginx serving the Dovecot Authentication
Policy Server - I have forked this code to produce an Exim version for
the back-end and am just testing a PERL test-harness which I will
translate into a PERL authentication shim.
Right now, at the time of writing, my PERL test harness looks like this:
#!/usr/bin/perl
#
# test.pl -- test the Web Services authenticator for Exim
#
use strict;
use warnings;
use LWP::UserAgent ();
use Data::Dumper;
my $email = "[email protected]";
my $pass = "secret";
my $remote = "1.2.3.4";
my $ua = LWP::UserAgent->new(
agent => 'EximAuth/0.01',
timeout => 3
);
my %form;
$form{'email'} = $email;
$form{'password'} = $pass;
$form{'remote'} = $remote;
my $response = $ua->post('http://mailserver.example.com/exim-auth.php',
\%form);
print Dumper($response);
my $code = $response->code();
print "CODE: >>>$code<<<\n";
The PHP back-end accepts a POST on a URI with form data that contains:
* email address
* password
* remote IP address
the back-end considers:
a) the username/password pair - for authentication
b) the GEOIP of the remote IP address - for authorization
in the virtual mailbox/virtual user database, plus the remote IP in a
local copy of the DBIP GeoIP database and returns a HTTP response code:
* 204 On success (no data)
* 403 Forbidden (for authentication failure or GEOIP authorization fail)
* 400 Bad Request (for non supported methods or incomplete form data)
and logs the username (email address) and remote IP address along with
authentication success/fail and GEOIP policy success/fail and country
code to a 'connection_log' table in MySQL.
I will replace the test code with an Exim/Perl shim that does the same
thing but returns authentication 'success' or 'failure' and coerce Exim
into using it in the authenticators, later ...
The reason for all of this is that we have seen a very significant
change in the threat landscape in the last couple of years ... examining
our Dovecot logs (via the connection log/authentication policy server)
we see about 40% of failed logins from China, about 10-15% of failed
logins from Russia/Russian Federation and the rest from botnets that
present IP addresses from all over the world.
This drives us to use a more complete authentication system along with
logging and surveillance, for monitoring, reporting and compliance.
Happy to share our experiences, ideas and solutions with anyone that has
similar issues to address ...
Mike
On 17/03/2020 19:49, Andrew C Aitchison wrote:
Top posting seems the best style for this reply.
I have pruned the original question.
There is a Dovecot Authenticator for Exim (spec.txt chapter 37)
I'm not sure whether $sender_host_address is passed to Dovecot,
so it may or may not be possible to enforce the GEOIP policy
(but I'd be tempted to do that in a firewall such as iptables
before the connection reaches exim unless the location of the
logging is critical).
On Tue, 17 Mar 2020, Mike Tubby via Exim-users wrote:
Dovecot IMAP/POP3 server has a built-in Authentication Policy
sub-system whereby it can make a web-services call to to an
Authentication Policy Server:
1. ___ command: on connect, before authentication
2. ___ command: on connect, after authentication
3. ___ report: on final outcome of policy + authentication
It would be "really good"(tm) if Exim could implement a similar
concept/service/API as it would allow me to leverage GEOIP against
possible attackers of some (protected) services and report back in to
a common database of failed connections for (a) GEOIP policy or (b)
username/password authentication failure.
I currently use GEOIP from the DBIP database on a local server with a
bit of PHP I hacked together to satisfy the Dovecot web-services API
via nginx on localhost in the server in question and its been
enlightening to see where requests are coming from...  It
appears that I am currently receiving around 1500-2000 IMAP connects
per day from botnets with half-valid/half-guessed credentials, for
example:
While this log is for Dovecot, it would be really good (tm) if Exim
could make similar call outs to an Authentication Policy Server,
perhaps passing:
___ 1. Remote IP address (IPv4/IPv6)
___ 2. If the session is plain-text or upgraded to SSL/TLS
___ 3. Which SSL/TLS Cipher is in use
___ 4. The username presented at start of auth
___ 5. Some sort of hash of the password presented at auth - like
Dovecot
does
Has anyone implemented a Dovecot-a-like authentication policy server
for Exim
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
