On 4/27/22 14:01, Wietse Venema wrote:
> Michael Stroeder:
>>> Either way a compromised CA or a compromise KDC is bad news...
>>
>> Yes!
>>
>> And one of my biggest concerns are bad operational practices. That's why
>> admins should not have to manually deal with crypto key files like
>> service
On 4/27/22 21:30, Wietse Venema wrote:
Michael Stroeder:
So even if you cannot afford a HSM you can e.g. use ssh-agent via Unix
domain socket for your SSH-CA to avoid having to grant direct read
access to the SSH-CA's private key to your SSH-CA service. Simple
solutions, which you can isolate a
Michael Stroeder:
> So even if you cannot afford a HSM you can e.g. use ssh-agent via Unix
> domain socket for your SSH-CA to avoid having to grant direct read
> access to the SSH-CA's private key to your SSH-CA service. Simple
> solutions, which you can isolate a bit more with stuff already ava
On 4/27/22 20:01, Wietse Venema wrote:
Michael Stroeder:
Either way a compromised CA or a compromise KDC is bad news...
Yes!
And one of my biggest concerns are bad operational practices. That's why
admins should not have to manually deal with crypto key files like
service keytabs or TLS serve
Michael Stroeder:
> > Either way a compromised CA or a compromise KDC is bad news...
>
> Yes!
>
> And one of my biggest concerns are bad operational practices. That's why
> admins should not have to manually deal with crypto key files like
> service keytabs or TLS server keys.
To implement str
On 4/27/22 19:03, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:45 pm, Michael Ströder wrote:
But my concern is rather that I would not connect my KDC to the
Internet (for now leaving aside approaches like proxy KCM). >>
In general I'm leaning more towards using asymmetric keys for
authc. On my
> On 27 Apr 2022, at 12:45 pm, Michael Ströder wrote:
>
> But my concern is rather that I would not connect my KDC to the Internet (for
> now leaving aside approaches like proxy KCM).
>
> In general I'm leaning more towards using asymmetric keys for authc. On my
> personal to-do list is to imp
On 4/27/22 18:38, Demi Marie Obenour wrote:
On 4/27/22 07:58, Michael Ströder wrote:
Mozilla hunked out all features for PKI client cert enrollment from
Firefox and Thunderbird. So today it's easier to issue client certs to
Outlook users than to Thunderbird users. :-(
Please report a bug on ht
“Well, if you believe that it's ok for you to use it.”
Not sure if you mean I’m being presumptuous (not intended) or actually
that I would see value in using it - I think you meant the latter but
again, not sure…(lol)
Anyway, I would see value in at least checking it out - seems
interesting…
On 4/27/22 18:50, Antonio Leding wrote:
On 27 Apr 2022, at 9:45, Michael Ströder wrote:
> “On my personal to-do list is to implement a simple X.509-CA for issuing
> short-term client certs, with a CLI tool to directly manipulate
> Thunderbird and Firefox key/cert DB.”
As in you are planning t
On 4/27/22 18:39, Demi Marie Obenour wrote:
On 4/27/22 12:27, Michael Ströder wrote:
On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/
“On my personal to-do list is to implement a simple X.509-CA for
issuing short-term client certs, with a CLI tool to directly manipulate
Thunderbird and Firefox key/cert DB.”
As in you are planning to build such a suite and put up on GH for all of
us to use as well???
If so, would love to le
On 4/27/22 18:36, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:27 pm, Michael Ströder wrote:
one way to authenticate may be using Kerberos.
Not recommended for roaming users accessing submission service via public
Internet.
Suitability depends on the user base, ... my personal mail server
On 4/27/22 12:27, Michael Ströder wrote:
> On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
> I’m very interested in what options / solutions (if any) exist that allow
> you to use a passwordless approach to authenticating your users against
> imaps/pop3/smtps/submission services (tls enc
On 4/27/22 08:37, Jahnke-Zumbusch, Dirk wrote:
> Hi everybody,
>
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of course)
>
> one
On 4/27/22 07:58, Michael Ströder wrote:
> On 4/27/22 12:27, Jaroslaw Rafa wrote:
>> Dnia 27.04.2022 o godz. 17:47:06 AndrewHardy pisze:
>>>
>>> I’m very interested in what options / solutions (if any) exist that allow
>>> you to use a passwordless approach to authenticating your users against
>>>
On 4/27/22 17:28, lists wrote:
The TOTP built into Linux has a 30 second time limit but most
implementations approve the stale code making it effectively 60
seconds.
>
Hackers have either implemented [..] a man in the middle attack
intercepted the token.
An implementation taking the "one-time"
> On 27 Apr 2022, at 12:27 pm, Michael Ströder wrote:
>
>> one way to authenticate may be using Kerberos.
>
> Not recommended for roaming users accessing submission service via public
> Internet.
Suitability depends on the user base, ... my personal mail server
indeed supports SASL GSSAPI subm
On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of course)
one way to authenticate may be using Ke
to occur with a web page Auth where the MITM presents a fake page.
Original Message
From: postfixlists-070...@billmail.scconsult.com
Sent: April 27, 2022 8:04 AM
To: postfix-users@postfix.org
Subject: Re: password security
On 2022-04-27 at 01:47:06 UTC-0400 (Wed, 27 Apr 2022 17:47:06
On 2022-04-27 at 01:47:06 UTC-0400 (Wed, 27 Apr 2022 17:47:06 +1200)
AndrewHardy
is rumored to have said:
Hi,
Following this thread has been quite intriguing. Interesting
conversation indeed.
On a similar topic but probably more focused on addressing root cause
(which in mind is just passw
Hi everybody,
>>> I’m very interested in what options / solutions (if any) exist that allow
>>> you to use a passwordless approach to authenticating your users against
>>> imaps/pop3/smtps/submission services (tls encrypted of course)
one way to authenticate may be using Kerberos. Get your
K5-Tic
On 4/27/22 12:27, Jaroslaw Rafa wrote:
Dnia 27.04.2022 o godz. 17:47:06 AndrewHardy pisze:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of cou
Dnia 26.04.2022 o godz. 18:59:35 lists pisze:
> I see the snowshoe hackers on my web server and I
> assume they are on my email but I don't read the postfix logs as often. I
> haven't seen a hacker hammer my server in a long time. It is all snowshoe
> these days.
I also have a personal server and
Dnia 27.04.2022 o godz. 17:47:06 AndrewHardy pisze:
>
> I’m very interested in what options / solutions (if any) exist that allow
> you to use a passwordless approach to authenticating your users against
> imaps/pop3/smtps/submission services (tls encrypted of course)
To my knowledge, Thunderbird
One more important thing is to educate the users to not click on any
unknown links because many a times spammers get hold of the account by the
way of phishing emails.
Fail2ban works in case there are brute force attempts. but if the password
is valid then the server will authenticate.
On Mon,
On 2022-04-27 lists wrote:
> Steve Gibson spent four years developing a passwordless Auth system.
> Open sourced it. Provided APIs. Nobody bought into it.
Steve Gibson? The same Steve Gibson who claimed that raw sockets in
Windows XP are evil because ... reasons? The same Steve Gibson who
successf
like a WAF. From: andrewha...@andrewhardy.co.nzSent: April 26, 2022 10:47 PMTo: li...@lazygranch.comCc: postfix-users@postfix.orgSubject: Re: password security Hi,Following this thread has
he man pages for postfix and Dovecot to set up an email server. Too many
> options.
>
> Back to lurker mode.
>
> From: t...@leding.net
> Sent: April 26, 2022 12:45 PM
> To: le...@spes.gr
> Cc: postfix-users@postfix.org
> Subject: Re: password security
>
> Good fe
y options. Back to lurker mode. From: t...@leding.netSent: April 26, 2022 12:45 PMTo: le...@spes.grCc: postfix-users@postfix.orgSubject: Re: password security
Good feed
On 4/26/2022 7:15 PM, Demi Marie Obenour wrote:
On 4/26/22 01:35, Antonio Leding wrote:
Anyone who thinks that F2B merely “quiets logs” unfortunately has no
idea what F2B actually does…
Would you mind explaining?
TL;DR for many:
The fail2ban service watches logfiles for things that indicate
On 4/26/22 01:35, Antonio Leding wrote:
> Anyone who thinks that F2B merely “quiets logs” unfortunately has no
> idea what F2B actually does…
Would you mind explaining?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_sign
Good feedback - typically I’d have some comments but since we’ve
wandered a fair bit off the reserve here, I will refrain. If anyone
wants to continue this at Reddit or somewhere else more appropo, let me
know…
- - -
On 26 Apr 2022, at 11:56, Lefteris Tsintjelis wrote:
On 26/4/2022 20:11,
On 26/4/2022 20:11, Antonio Leding wrote:
“…I'm just saying it's [F2B] not a solution to modern brute-force attack
on passwords/accounts….”
It’s actually staggering that you say this because of how incredibly
inaccurate this statement is…
Presume someone goes brute-force against a PostFix se
In other words...
On Tue, 26 Apr 2022, Antonio Leding wrote:
[...]
Blocking an IP is the single cheapest most effective thing one can do re:
undesired traffic.
blocking an address is just a rude form of graylisting, based on observed
rudeness.
(I do it too. And other things. Security is a
“…I'm just saying it's [F2B] not a solution to modern brute-force
attack on passwords/accounts….”
It’s actually staggering that you say this because of how incredibly
inaccurate this statement is…
Presume someone goes brute-force against a PostFix server via v6 only -
so tons of addresses at
I’m not really sure if you understand that F2B is just a set of
scripts wrapped around iptables (a firewall) - but that’s all it is -
the real-work is being done by iptables which can be very effective
against DDoS. Plenty of articles, papers, etc. on this very topic so
your assertion that F2B
Dear Viktor,
Viktor Dukhovni writes:
> On Tue, Apr 26, 2022 at 11:54:21PM +0900, Byung-Hee HWANG wrote:
>
>> > There is obviously a point where the server won't be capable of
>> > handling the load, always. But what are the odds with "just" a
>> > brute-force on passwords/accounts?
>> > Our outb
On Tue, Apr 26, 2022 at 11:54:21PM +0900, Byung-Hee HWANG wrote:
> > There is obviously a point where the server won't be capable of
> > handling the load, always. But what are the odds with "just" a
> > brute-force on passwords/accounts?
> > Our outbound/internal mail gateway handles the traffic
> There is obviously a point where the server won't be capable of
> handling the load, always. But what are the odds with "just" a
> brute-force on passwords/accounts?
> Our outbound/internal mail gateway handles the traffic for +2K
> every-day users +28K occasional users. Millions emails per month
April 26, 2022 3:13 PM, "Bill Cole"
wrote:
> On 2022-04-26 at 07:09:41 UTC-0400 (Tue, 26 Apr 2022 11:09:41 +)
>
> is rumored to have said:
>> Unless you run postfix on a 10 years old Raspberry, it can handle the > load.
>
> Not always true.
There is obviously a point where the server won
On 2022-04-26 at 07:09:41 UTC-0400 (Tue, 26 Apr 2022 11:09:41 +)
is rumored to have said:
Brute-forcing passwords/account as nothing to do with DDoS. Purpose of
brute(forcing password is gaining access to a service in order to
exploit it (steal data, send spam, etc.). Purpose of DDoS is t
April 26, 2022 12:16 PM, "Mauricio Tavares" wrote:
> Please explain how certificate authentication is, as you said,
> 100% efficient against brute-force attacks.
No password = no possible brute-forced password.
> If these 100s ou 1000s of IP addresses are sending each thousands of
> connectio
On Tue, Apr 26, 2022 at 1:54 AM wrote:
>
> Hello,
>
> This is off topic anyway but I think you're right. Fail2ban is not for the
> lazy, it's for people who have a lot of time to lose in an inefficient
> solution. Before cloud era F2B was a really great solution, but as it's been
> pointed out,
Hello,
This is off topic anyway but I think you're right. Fail2ban is not for the
lazy, it's for people who have a lot of time to lose in an inefficient
solution. Before cloud era F2B was a really great solution, but as it's been
pointed out, current attackers can leverage 100s ou 1000s of IP a
Anyone who thinks that F2B merely “quiets logs” unfortunately has no
idea what F2B actually does…
- - -
On 25 Apr 2022, at 1:00, Laura Smith wrote:
Sent with ProtonMail secure email.
--- Original Message ---
On Monday, April 25th, 2022 at 08:50, Dan Mahoney
wrote:
Even if fail2ban
I’ve been using F2B for over 4-5 years and it’s fantastic. F2B is
just one of many very useful tools in the belt of any knowledgable
infosec practitioner. To consider F2B as “only for the lazy” speaks
more to a lack of truly understanding infosec than it does of the tool
itself…
- - -
On
Hello,
I find it quite fascinating that so many people will push solutions without
context.
Can you tell us how many users / user accounts are you trying to protect?
Are those work accounts? Family & friends?
What do you really want to achieve:
- no brute-force attempts?
- no brute-force succe
that needs a secondary development? due to my limited knowledge I don't
know there is the opensource implementation.
thank you
Mauricio Tavares wrote:
What about multifactor authentication?
If you google "fail2ban postfix", you will get a large number of links
to ideas about using fail2ban to prevent this.
On 2022-04-25 11:29, Mauricio Tavares wrote:
On Mon, Apr 25, 2022 at 12:28 AM ミユナ (alice) wrote:
do you know how to stop passwords from being brute-forced for a
mailserver? do
On Mon, Apr 25, 2022 at 12:28 AM ミユナ (alice) wrote:
>
> do you know how to stop passwords from being brute-forced for a
> mailserver? do you have any practical guide?
>
What about multifactor authentication?
> thank you.
Hi
Or use allow_nets (geoip) for dovecot-auth (in mysql) and fail2ban
or
ipset + hashlimit + geoip
or 2fa - It's a bit of fun in configurations
W dniu 25.04.2022 o 12:44, Ludi Cree pisze:
Hi,
Even if fail2ban is “whack a mole”, you could also feed the data on auth
spammers to an abuse-compa
Hi,
>> Even if fail2ban is “whack a mole”, you could also feed the data on auth
>> spammers to an abuse-compaint script, and do your part to make the internet
>> a little cleaner.
>And we all know how fabulously well abuse reports have worked with preventing
>spam, don't we !!
>As I said. Fai
may people are used to use a VPN today. so blocking based on IP is not
acceptable.
Allen Coates wrote:
You could use an Access Control List to include all your "customers",
and banning everybody else.
On 25/04/2022 05:26, ミユナ (alice) wrote:
do you know how to stop passwords from being brute-forced for a mailserver? do
you have any practical guide?
thank you.
You could use an Access Control List to include all your "customers", and
banning everybody else.
In my case, any submission or
On Monday, April 25th, 2022 at 08:50, Dan Mahoney wrote:
Even if fail2ban is “whack a mole”, you could also feed the data on auth
spammers to an abuse-compaint script, and do your part to make the
internet a little cleaner.
On 25.04.22 08:00, Laura Smith wrote:
And we all know how fabulously
Sent with ProtonMail secure email.
--- Original Message ---
On Monday, April 25th, 2022 at 08:50, Dan Mahoney wrote:
> Even if fail2ban is “whack a mole”, you could also feed the data on auth
> spammers to an abuse-compaint script, and do your part to make the internet a
> little
> On Apr 25, 2022, at 12:07 AM, Laura Smith
> wrote:
>
>
> --- Original Message ---
> On Monday, April 25th, 2022 at 05:26, ミユナ wrote:
>
>> do you know how to stop passwords from being brute-forced for a
>> mailserver? do you have any practical guide?
>>
>
> Simple. You've got tw
Hi
Probably fail2ban resolve your problem about brute-force auth
W dniu 25.04.2022 o 09:07, Laura Smith pisze:
--- Original Message ---
On Monday, April 25th, 2022 at 05:26, ミユナ wrote:
do you know how to stop passwords from being brute-forced for a
mailserver? do you have any practica
Check out fail2ban
Greets,
Ludi
-Ursprüngliche Nachricht-
Von: owner-postfix-us...@postfix.org Im
Auftrag von ??? (alice)
Gesendet: Montag, 25. April 2022 06:27
An: Postfix users
Betreff: password security
do you know how to stop passwords from being brute-forced for a mailserver? do
--- Original Message ---
On Monday, April 25th, 2022 at 05:26, ミユナ wrote:
> do you know how to stop passwords from being brute-forced for a
> mailserver? do you have any practical guide?
>
Simple. You've got two options:
a) Use strong passwords (and if you run an automated password ch
Hi,
do you know how to stop passwords from being brute-forced for a
mailserver? do you have any practical guide?
fail2ban is a proper solution on Linux machines against brute force
login attempts.
Groetjes
Claus
--
Claus R. Wickinghoff, Dipl.-Ing.
using Linux since 1994 and still happy
do you know how to stop passwords from being brute-forced for a
mailserver? do you have any practical guide?
thank you.
63 matches
Mail list logo
