IMAP defence
IMAP is the most popular service for email and gets considerable attention from cyber threats. Fortunately it's easy to defend against brute force attacks by banning an offending IP address. You will learn the two attack vectors and how to identify and defend them. POP and Sieve need protection as well to ensure they're not the weakest link. Protecting POP and Sieve is exactly the same as for IMAP, jut with different log files.
Fail2Ban is a leading open source attack detection and prevention app by banning hosts that cause multiple authentication errors. A full Fail2Ban installation and configuration is outside the scope of this how to, please see their site to install and configure Fail2Ban.
It's essential to log activity and failed login attempts are logged at the notice level. There are two logs of interest:
- dbmail imap log
- webmail log
The dbmail log can identify failed login attempts using the IMAP service directly using ports 143 and 993 but should ignore the webmail service as it doesn't know the originating ip address.
The webmail log can identify the IP address from failed login attempts and after a set number of failed attempts should ban an IP address.
After you have installed and configured Fail2Ban you need to create a filter for dbmail-imapd log files.
The filter file is fail2ban/filter.d/dbmailimap.local and sets a single regex.
failregex = login rejected: user \[.*\] from \[<HOST>:\d*\]$
The configuration file that enables dbmailimap is in fail2ban/jail.local.
You need to name it according to your needs, the following example uses the native BSD firewall ipfw and so is named dbmailimap-ipfw.
[dbmailimap-ipfw]
enabled = true
filter = dbmailimap
action = bsd-ipfw
logpath = /var/log/dbmail/dbmail-imap.err
ignoreip = 127.0.0.1 ::1
logencoding = utf-8
Notice that failed webmail attempts on 127.0.0.1 and ::1 are ignored, add your webmail server's address if it's on another server.
It's important to test the setup with fail2ban-regex and a live test to ensure failed logins are blocked.
Even without additional plugins, failed Squirrel mail attempts can be used to identify threats by the number of login redirects. Using an apache log file as an example:
mail.example.com IPAddress - - [DATE] "POST /src/redirect.php HTTP/1.1" 200 972 "https://example.com/src/login.php" "User agent"
Roundcube is more helpful as they return a 401 Unauthorized for failed login attempts.
mail.example.com IPAddress - - [DATE] "POST /?_task=login HTTP/1.1" 401 5826 "https://example.com/" "User Agent"
failregex = ^[0-9a-zA-Z._-]+ <HOST> - - .*\"(GET|POST) .* HTTP/1.(0|1)\" 401 .*
You'll probably need to be more forgiving about these failed logins as users may be typing their password.