1

Does (Zimbra using) Postfix have an option to whitelist IPs or domains for IMAP logins for a specific mailbox only?

This is what we would like to achieve:

  • all IPs can open an IMAP connection on port 993 with valid a@example.com credentials
  • all IPs can open an IMAP connection on port 993 with valid b@example.com credentials
  • only 1.2.3.4, 3.4.5.0/24 and foo.example.com can open an IMAP connection on port 993 with valid c@example.com credentials

Preferably when someone from 4.5.6.7 tries to open an IMAP session with c@example.com credentials the same error should be returned as for an unsuccessful login attempt due to wrong password or non existant recipient address, with the same timeout (e.g. 10 seconds).

Background: our mailserver (Zimbra using Postfix) is under intermittent attacks on specific mailboxes resulting in those mailboxes getting locked out due to the number of failed IMAP login attempts per hour for that mailbox. The login attempts are coming as a slow trickle from unique IPs (2-3 login attempts per minute on the same mailbox) so banning IPs is not a solution. Increasing the number of failed attempts per hour limit only allows the attack to proceed and opens the door for larger concurrent attacks.

Firewalling the IMAP port is not an option since we would like to keep access open from outside the VPN/corporate network except for those mailboxes that are under a current/persistent attack. Inspecting the traffic there is also not possible since it's encrypted.

So we are looking for something like postscreen_access_list but for specific recipients only as we would like to limit access only to those mailboxes that are under attack.

imapq
  • 11
  • 2
  • What are you using for DDoS protection? – sebix Nov 26 '18 at 20:56
  • We don't have a specific service like Cloudflare if you mean that and currently no DNS blacklists configured. – imapq Nov 27 '18 at 13:17
  • You speak about "Postfix DDoS mitigation", what is it? – sebix Nov 27 '18 at 20:44
  • We are experiencing what I think can be termed a DDoS since mailboxes get locked out and I'm looking for a mitigation. This in combination with Postfix yields the subject. I didn't mean to imply I'm looking for a mitigation for Postfix, but for a mitigation for the DDoS, if there is one using a mechanism in Postfix, or a Zimbra construct of some sort, or any other ideas are welcome. But I'm mainly curious if there is such a possibility in Postfix itself. – imapq Nov 28 '18 at 10:23
  • So you are looking for a firewall with the possibility of whitelisting? – sebix Nov 28 '18 at 17:47
  • If that firewall is somehow capabe of distinguishing between what mailbox the IMAP session is opened to, then sure. It would need to deal with the encryption too. – imapq Nov 29 '18 at 13:40
  • Found not quite an answer to the specific question but a partial solution to the underlying problem: Zimbra has an option to disable (external) IMAP for the specific mailbox, this prevents login attempts at least, so brute force guessing no longer works at least via IMAP. There are two separate options, one for "external IMAP", not sure yet what the difference is, disabled both for now. – imapq Jan 03 '19 at 16:24

1 Answers1

0

I'd look at fail2ban first. It is quite simple and does not require any more hardware or network setups. fail2ban works by watching logfiles and then blocking IPs with iptables/nftables etc.

The patterns to look for in logfiles can be defined - thus you can exclude the logins for certain mailboxes by excluding them in the regular expression.

fail2ban can't mitigate all kind of DDoS but it is the first tool I'd look at. Also, you did not provide any more details about your needs and what kind of attacks you are faced with.

For every "jail" in fail2ban there failregex's and ignoreregex's. Just insert the according regular expressions there.

sebix
  • 4,175
  • 2
  • 25
  • 45
  • fail2ban will not be useful in this instance since the attack is coming from unique IPs each time (I did specify this above). It also doesn't answer the question whether there is a way to white/blacklist for certain mailboxes only, iptables will filter for all. – imapq Dec 10 '18 at 12:54