[Users] Disallow users to authenticate with smtp / hardening Zimbra

Barry de Graaff info at barrydegraaff.tk
Mon May 27 11:19:05 CEST 2019 

Yes you are too nice, unfortunately your users need to learn a new trick, but I see your problem. 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
zetalliance.org | github.com/Zimbra-Community 

Signal: +31 617 220 227 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 


From: "Naisiew Yeak" <yeak at md.com.my> 
To: "Barry de Graaff" <info at barrydegraaff.tk> 
Cc: "Truong Anh Tuan" <tuanta at iwayvietnam.com>, "users" <users at lists.zetalliance.org> 
Sent: Monday, 27 May, 2019 11:17:11 
Subject: Re: [Users] Disallow users to authenticate with smtp / hardening Zimbra 

Hi Barry, 

We found some users are really not savvy enough to even using Google Authenticator. A customer with 2,000 user base said recently switched to 2FA and faced same amount of work as before. Before there are requests to change password. Now there is request to reset the 2FA. 

It would be good if there is an App installed in the phone and when user login to Zimbra, it pop up in the App to tell user about it. The user tap "Yes, it is me" to continue. 

Perhaps I am too nice to users? 

Thanks. 



On Mon, May 27, 2019 at 4:51 PM Barry de Graaff < [ mailto:info at barrydegraaff.tk | info at barrydegraaff.tk ] > wrote: 



Why not use this: 
[ https://github.com/Zimbra-Community/zimbra-foss-2fa | https://github.com/Zimbra-Community/zimbra-foss-2fa ] 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
[ http://zetalliance.org/ | zetalliance.org ] | [ http://github.com/Zimbra-Community | github.com/Zimbra-Community ] 

Signal: +31 617 220 227 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 


From: "Naisiew Yeak" < [ mailto:yeak at md.com.my | yeak at md.com.my ] > 
To: "Barry de Graaff" < [ mailto:info at barrydegraaff.tk | info at barrydegraaff.tk ] > 
Cc: "Truong Anh Tuan" < [ mailto:tuanta at iwayvietnam.com | tuanta at iwayvietnam.com ] >, "users" < [ mailto:users at lists.zetalliance.org | users at lists.zetalliance.org ] > 
Sent: Monday, 27 May, 2019 10:50:08 
Subject: Re: [Users] Disallow users to authenticate with smtp / hardening Zimbra 

Hi All, 

Due to heavy attacks to Zimbra servers, I wonder if you all could consider design the login process where Zimbra's password become a passcode instead. What I mean is this: if the user accidentally leaked the password to the hacker, the hacker cannot use it to login directly on Zimbra to use the services. 

How this can be done? Normally we use a login portal that accept real password. Then you click a button that has pre-auth URL to jump into Zimbra. In this case the real password isn't at Zimbra. To allow smtp/pop/imap and other access at Zimbra, the login portal can have a function to assign a passcode to Zimbra. This passcode is the real password that actually login into Zimbra. Because this passcode is randomly generated with 16 or 32 length, the user cannot tell hacker about this. It is used to configure their device only. This concept is similar to 2FA App Password except that it only take one passcode. 

To further improvise the idea, we could build this login portal right into Zimbra. Let's say the Zimbra's LDAP password (userPassword) is the real password for you to login to do password management only. Next you create another field (can reuse zimbraAppSpecificPassword), to actually store the password used by pop3/imap/smtp. This can be standard crypt based password. The services will be modified to refer to this zimbraAppSpecificPassword instead of userPassword. By doing so you split out the password usage into service related. Note: what described is the concept. 

What you think of this idea? 

Thanks. 



On Mon, May 27, 2019 at 3:53 PM Barry de Graaff < [ mailto:info at barrydegraaff.tk | info at barrydegraaff.tk ] > wrote: 

BQ_BEGIN
yeah, the smtp gateway is the best solution... but it is a lot 
of overhead. 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
[ http://zetalliance.org/ | zetalliance.org ] | [ http://github.com/Zimbra-Community | github.com/Zimbra-Community ] 

Signal: +31 617 220 227 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 

----- Original Message ----- 
From: "Truong Anh Tuan" < [ mailto:tuanta at iwayvietnam.com | tuanta at iwayvietnam.com ] > 
To: [ mailto:users at lists.zetalliance.org | users at lists.zetalliance.org ] 
Sent: Monday, 27 May, 2019 09:36:38 
Subject: Re: [Users] Disallow users to authenticate with smtp / hardening Zimbra 

On 5/25/19 4:49 PM, Barry de Graaff wrote: 
> Hello All, 
> 
> I have set-up a hardened Zimbra server, that is, I firewalled 
> pop/imap/http so that is not available. 
> 
> Port 443 can only be reached via a VPN. 
> 
> So far so good, 
> 
> I am still seeing a bot-net trying to authenticate by using 
> username/password combos 
> on the smtp port though. So I set up a fail2ban like script to ban ip's 
> that are doing that. 
> 
> Please tell me if I am wrong, but if they succeed in getting the smtp 
> credentials for an account, 
> they can send out spam and do some spoofing, but they cannot get the 
> users data right? As that 
> cannot be fetched over smtp? Even without spamming, one can use the 
> response from Zimbra 
> to find out valid username/password combos. Which is bad, but not a big 
> deal, because the VPN. 
> 
> Other than using an smtp relay, what can I do to prevent user-accounts 
> being used to auth on 
> smtp? I do not really need the feature on this server, but I cannot 
> disable the port, cause then no 
> more mail could be delivered right? 
> 
> Any suggestions? I still have 465/tcp 587/tcp and 25 opened for smtp. 

Hi Barry et al, 

In this case, I think it's best to block SMTP ports (465, 587 & 25) as 
you did with IMAP/POP/HTTP (all behind VPN) 

For receiving emails from outside (other email systems), you can deploy 
a separated SMTP gateway. 
I have done this way for almost our systems with Postfix, plus 
ASSP/MailScanner for another level of spam/virus filtering. 

-- 
Kind Regards, 
Truong Anh Tuan 
iWay Founder & CEO 
M: 0903237001 
P: (04)3537-8684 
E: [ mailto:tuanta at iwayvietnam.com | tuanta at iwayvietnam.com ] 






-- 
Naisiew Yeak 
+60 12 5067818 

Zimbra • Linux • Security 

My Directory Sdn Bhd 
E-2-22, IOI Boulevard, Jalan Kenari 5, Bandar Puchong Jaya 
47170 Puchong, Selangor, Malaysia. 




BQ_END



-- 
Naisiew Yeak 
+60 12 5067818 

Zimbra • Linux • Security 

My Directory Sdn Bhd 
E-2-22, IOI Boulevard, Jalan Kenari 5, Bandar Puchong Jaya 
47170 Puchong, Selangor, Malaysia. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190527/6f363889/attachment.html>

More information about the Users mailing list