IMAP defence

IMAP is the most popular service for email and gets considerable attention from cyber threats. Fortunately it's easy to defend against brute force attacks by banning an offending IP address.

Fail2Ban is a leading open source attack detection and prevention app by banning hosts that cause multiple authentication errors.

A full Fail2Ban configuration is outside the scope of this article, please see their site to install and configure Fail2Ban.

It's essential to log activity and failed login attempts are logged at the notice level.

After you have installed and configured Fail2Ban you need to create a filter for DBMail-imapd log files.

The filter file is fail2ban/filter.d/dbmailimap.local and sets a single regex.

failregex = login rejected: user \[.*\] from \[<HOST>:\d*\]$

The configuration file that enables dbmailimap is in fail2ban/jail.local.

You need to name it according to your needs, the following example uses the native BSD firewall ipfw and so is named dbmailimap-ipfw.

[dbmailimap-ipfw]
enabled  = true
filter   = dbmailimap
action   = bsd-ipfw
logpath  = /var/log/dbmail/dbmail-imap.err
ignoreip = 127.0.0.1
logencoding = utf-8

Notice that failed webmail attempts on 127.0.0.1 are ignored.

It's important to test the setup with fail2ban-regex and a live test to ensure failed logins are blocked.

Even without additional plugins, failed Squirrel mail attempts can be used to identify threats by the number of login redirects. Using an apache log file as an example:

mail.example.com IPAddress - - [DATE] "POST /src/redirect.php HTTP/1.1" 200 972 "https://example.com/src/login.php" "User agent"

Roundcube is more helpful as they return a 401 Unauthorized for failed login attempts.

mail.example.com IPAddress - - [DATE] "POST /?_task=login HTTP/1.1" 401 5826 "https://example.com/" "User Agent"

failregex = ^[0-9a-zA-Z._-]+ <HOST> - - .*\"(GET|POST) .* HTTP/1.(0|1)\" 401 .*

You'll probably need to be more forgiving about these failed logins as users may be typing their password.