[Users] Disallow users to authenticate with smtp / hardening Zimbra

Mon May 27 11:17:11 CEST 2019

Hi Barry,

We found some users are really not savvy enough to even using Google
Authenticator. A customer with 2,000 user base said recently switched to
2FA and faced same amount of work as before. Before there are requests to
change password. Now there is request to reset the 2FA.

It would be good if there is an App installed in the phone and when user
login to Zimbra, it pop up in the App to tell user about it. The user tap
"Yes, it is me" to continue.

Perhaps I am too nice to users?

Thanks.

On Mon, May 27, 2019 at 4:51 PM Barry de Graaff <info at barrydegraaff.tk>
wrote:

> Why not use this:
> https://github.com/Zimbra-Community/zimbra-foss-2fa
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
>
> Signal: +31 617 220 227
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
> ------------------------------
> *From: *"Naisiew Yeak" <yeak at md.com.my>
> *To: *"Barry de Graaff" <info at barrydegraaff.tk>
> *Cc: *"Truong Anh Tuan" <tuanta at iwayvietnam.com>, "users" <
> users at lists.zetalliance.org>
> *Sent: *Monday, 27 May, 2019 10:50:08
> *Subject: *Re: [Users] Disallow users to authenticate with smtp /
> hardening Zimbra
>
> Hi All,
>
> Due to heavy attacks to Zimbra servers, I wonder if you all could consider
> design the login process where Zimbra's password become a passcode instead.
> What I mean is this: if the user accidentally leaked the password to the
> hacker, the hacker cannot use it to login directly on Zimbra to use the
> services.
>
> How this can be done? Normally we use a login portal that accept real
> password. Then you click a button that has pre-auth URL to jump into
> Zimbra. In this case the real password isn't at Zimbra. To allow
> smtp/pop/imap and other access at Zimbra, the login portal can have a
> function to assign a passcode to Zimbra. This passcode is the real password
> that actually login into Zimbra. Because this passcode is randomly
> generated with 16 or 32 length, the user cannot tell hacker about this. It
> is used to configure their device only. This concept is similar to 2FA App
> Password except that it only take one passcode.
>
> To further improvise the idea, we could build this login portal right into
> Zimbra. Let's say the Zimbra's LDAP password (userPassword) is the real
> password for you to login to do password management only. Next you create
> another field (can reuse zimbraAppSpecificPassword), to actually store the
> password used by pop3/imap/smtp. This can be standard crypt based password.
> The services will be modified to refer to this zimbraAppSpecificPassword
> instead of userPassword. By doing so you split out the password usage into
> service related. Note: what described is the concept.
>
> What you think of this idea?
>
> Thanks.
>
>
>
> On Mon, May 27, 2019 at 3:53 PM Barry de Graaff <info at barrydegraaff.tk>
> wrote:
>
>> yeah, the smtp gateway is the best solution... but it is a lot
>> of overhead.
>>
>> Kind regards,
>>
>> Barry de Graaff
>> Zeta Alliance
>> Co-founder & Developer
>> zetalliance.org | github.com/Zimbra-Community
>>
>> Signal: +31 617 220 227
>> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>>
>> ----- Original Message -----
>> From: "Truong Anh Tuan" <tuanta at iwayvietnam.com>
>> To: users at lists.zetalliance.org
>> Sent: Monday, 27 May, 2019 09:36:38
>> Subject: Re: [Users] Disallow users to authenticate with smtp / hardening
>> Zimbra
>>
>> On 5/25/19 4:49 PM, Barry de Graaff wrote:
>> > Hello All,
>> >
>> > I have set-up a hardened Zimbra server, that is, I firewalled
>> > pop/imap/http so that is not available.
>> >
>> > Port 443 can only be reached via a VPN.
>> >
>> > So far so good,
>> >
>> > I am still seeing a bot-net trying to authenticate by using
>> > username/password combos
>> > on the smtp port though. So I set up a fail2ban like script to ban ip's
>> > that are doing that.
>> >
>> > Please tell me if I am wrong, but if they succeed in getting the smtp
>> > credentials for an account,
>> > they can send out spam and do some spoofing, but they cannot get the
>> > users data right? As that
>> > cannot be fetched over smtp? Even without spamming, one can use the
>> > response from Zimbra
>> > to find out valid username/password combos. Which is bad, but not a big
>> > deal, because the VPN.
>> >
>> > Other than using an smtp relay, what can I do to prevent user-accounts
>> > being used to auth on
>> > smtp? I do not really need the feature on this server, but I cannot
>> > disable the port, cause then no
>> > more mail could be delivered right?
>> >
>> > Any suggestions? I still have 465/tcp 587/tcp and 25 opened for smtp.
>>
>> Hi Barry et al,
>>
>> In this case, I think it's best to block SMTP ports (465, 587 & 25) as
>> you did with IMAP/POP/HTTP (all behind VPN)
>>
>> For receiving emails from outside (other email systems), you can deploy
>> a separated SMTP gateway.
>> I have done this way for almost our systems with Postfix, plus
>> ASSP/MailScanner for another level of spam/virus filtering.
>>
>> --
>> Kind Regards,
>> Truong Anh Tuan
>> iWay Founder & CEO
>> M: 0903237001
>> P: (04)3537-8684
>> E: tuanta at iwayvietnam.com
>>
>>
>
> --
> Naisiew Yeak
> +60 12 5067818
>
>
> *Zimbra • Linux • Security*
>
> My Directory Sdn Bhd
> E-2-22, IOI Boulevard, Jalan Kenari 5, Bandar Puchong Jaya
> 47170 Puchong, Selangor, Malaysia.
>
>
>
>

-- 
Naisiew Yeak
+60 12 5067818

*Zimbra • Linux • Security*

My Directory Sdn Bhd
E-2-22, IOI Boulevard, Jalan Kenari 5, Bandar Puchong Jaya
47170 Puchong, Selangor, Malaysia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190527/93040087/attachment.html>