ME 10.32 vs. Country Authentication Restrictions

Discussions on webmail and the Professional version.
Post Reply
dedicate-it.net
Posts: 2
Joined: Mon Feb 22, 2021 8:30 pm

ME 10.32 vs. Country Authentication Restrictions

Post by dedicate-it.net » Mon Feb 22, 2021 8:55 pm

My question is as follows:

When enabling Geo-restrictions for authentication and attack detection - does ME block the connection when it attempts the AUTH command or does it "block" the auth. command, which then still results in a pile of failed random login attempts that eventually still locks the account in question?

Reason being - we are being hassled by a ton of random IPs - they bang on the server for two or three attempts - to beat the rate limiting - then come back later - either from the same IP or different ones. We have enabled the geo-restrictions and it seems to have NO effect whatsoever (even after service restart). Additionally, with restrictions enabled, authentications are still permitted (via testing with VPN to over a dozen blocklisted countries.

Please advise --

MailEnable-Ian
Site Admin
Posts: 9395
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME 10.32 vs. Country Authentication Restrictions

Post by MailEnable-Ian » Mon Feb 22, 2021 11:12 pm

Hi,

The authentication policy requires a connection in order for the AUTH command to be issued to the service. Therefore it will not prevent the connection but prevent the authentication. Have you enabled the "Abuse detection and prevention" option within the "Localhost" proprieties under the "Policies" tab? This will ban an IP address after 10 invalid AUTH attempts for one hour.

https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Regards,

Ian Margarone
MailEnable Support

dedicate-it.net
Posts: 2
Joined: Mon Feb 22, 2021 8:30 pm

Re: ME 10.32 vs. Country Authentication Restrictions

Post by dedicate-it.net » Tue Feb 23, 2021 12:46 am

Understood on the topology --

In re: Abuse Prevention -

The issue is that the offending IPs only send one or two auth requests per IP - then disappear for over an hour - then come back. They're keen to the rate-limiting feature - and time their hits based on a delay between repeated attempts. While this same behavior also prevents them from locking legitimate email accounts in the same fashion (too many repeated attempts) - it doesn't prevent against the slow-brute-force attacks that are happening.

In the essence that the GEO restrictions should prevent authentication, I find it interesting that when enabled, authentication from a "geo-restricted" IP is still possible and successful - but I will test further and bring logfiles for diagnosis.

At this point, I feel we will have to work on a third-party solution to geo-restrict connections to the mail server. As in - our mail server has no real business communicating with IPs outside North and Central America/Europe. None of our clients or operations do business or communicate with most far-east or even middle-east countries. I am understanding this is not how the GEO-restrict feature is implemented in ME - but rather, connection is allowed - then AUTH command prevented when IP defies acceptable rules.

In this case - it appears to be a network of compromised servers - there are approximately 50 IPs that are involved - several of them try to open up "common accounts" - others try to open up "known accounts that exist" - and most of them also attempt to login with a username wibbogup@<domainname>.<tld> (replace with chosen domain). Granted, this scenario is obviously not a ME problem, so I do thank you for your time on the matter.

Post Reply