Mailing List Archive

drop connection on auth failure
I should like exim to drop the connection on a client AUTH failure.
(Because as soon it's seen in the log, fail2ban will DROP the client IP,
and so the exim process will hang around until the SMTP session times
out.)

However, I can't see a way to do this. Am I missing something in the
docs?



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 15/07/2022 13:54, Julian Bradfield via Exim-users wrote:
> However, I can't see a way to do this. Am I missing something in the
> docs?

Sneaky: use an expansion in the server_condition, which when failing
deliberately goes on to try to expand *the content of* a known-tainted
variable ($sender_helo_name should be usable for this).

This will crash that exim process, hence dropping the connection.

Mind, it'll probably do it before logging anything too, so for your
fail2ban to still work you probably want to use an acl expansion
and logwrite, before that.



You could raise a wishlist-level bug asking for a neater way.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 15/07/2022 14:17, Jeremy Harris via Exim-users wrote:
> This will crash that exim process, hence dropping the connection.

No, I'm mistaken.

Could you set up your fail2ban to be less aggressive?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On Fri, Jul 15, 2022 at 01:54:56PM +0100, Julian Bradfield via Exim-users wrote:
> I should like exim to drop the connection on a client AUTH failure.
> (Because as soon it's seen in the log, fail2ban will DROP the client IP,
> and so the exim process will hang around until the SMTP session times
> out.)

Note that fail2ban is not a realtime service, it scans logs in timely
manner (typically by cron, every 10-15 min). So probability for active
connection to be blocked by fail2ban is very low.

Nevetheless, if you want to keep active connections unblocked, you may
insert before fail2ban's rules your own rule, which allows packets for
established connection to be passed. Example for Linux:

iptables -I INPUT 1 -p tcp -m multiport --destination-ports 25,465,587 \
-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
Ahoj,

D?a Fri, 15 Jul 2022 17:12:48 +0300 Evgeniy Berdnikov via Exim-users
<exim-users@exim.org> napísal:

> Note that fail2ban is not a realtime service, it scans logs in timely
> manner (typically by cron, every 10-15 min). So probability for
> active connection to be blocked by fail2ban is very low.

I do not know how do you are using fail2ban, but my usage is without
cron. It uses inotify on regular files and/or systemd journal on the
fly, which both are near real time.

The last fail2ban version log processing time along with logline
time, i do not see more than some hundreds ms difference, eg.:

2022-07-15 15:19:07,431 fail2ban.filter [247]: INFO [exim]
Found 49.85.88.74 - 2022-07-15 15:19:07 2022-07-15 15:19:14,820

It shows no more than 400 ms offset, thus yes it is not real time,
but near...

To OP: I will do not suggest to use as aggressive bans at all, as a lot
of hosts try only once and then go away, thus banning them is only
resource wasting...

You can use AUTH attempts counting in AUTH ACL and the do something with
this value, eg. (i do not drop by this way, thus only idea):

warn set acl_c_authcnt = ${eval10:$acl_c_authcnt+1}

drop condition = ${if >{$acl_c_authcnt}{1}}
condition = $authentication_failed
logwrite = H=$sender_fullhost LAST FAILed: \
$authenticated_fail_id

(BTW, last log with "LAST FAILed" was 25 days ago)

I recently discovered (OK, i ugpraded it) fail2bans bantime auto
incerement, whis i see as very useful for banning these toxics and to
deal with false positives relative acceptable with short initial
bantime:

fail2ban-client get exim banip --with-time
93.189.43.77 2022-07-15 07:24:12 + 86400 = 2022-07-16 07:24:12
104.144.69.131 2022-07-14 10:43:53 + 432000 = 2022-07-19 10:43:53
188.138.75.115 2022-07-14 22:05:07 + 604800 = 2022-07-21 22:05:07
...

...here you can see bantime from 1 to 7 days.

regards

--
Slavko
https://www.slavino.sk
Re: drop connection on auth failure [ In reply to ]
On 2022-07-15, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 15/07/2022 14:17, Jeremy Harris via Exim-users wrote:
>> This will crash that exim process, hence dropping the connection.
> No, I'm mistaken.
> Could you set up your fail2ban to be less aggressive?

Of course I could, but I don't want to!

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 2022-07-15, Evgeniy Berdnikov via Exim-users <exim-users@exim.org> wrote:
> On Fri, Jul 15, 2022 at 01:54:56PM +0100, Julian Bradfield via Exim-users wrote:
>> I should like exim to drop the connection on a client AUTH failure.
>> (Because as soon it's seen in the log, fail2ban will DROP the client IP,
>> and so the exim process will hang around until the SMTP session times
>> out.)
>
> Note that fail2ban is not a realtime service, it scans logs in timely
> manner (typically by cron, every 10-15 min). So probability for active
> connection to be blocked by fail2ban is very low.

Yes, it is a realtime service, at least in my system.

> Nevetheless, if you want to keep active connections unblocked, you may
> insert before fail2ban's rules your own rule, which allows packets for
> established connection to be passed. Example for Linux:
>
> iptables -I INPUT 1 -p tcp -m multiport --destination-ports 25,465,587 \
> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Ah, I'm not well up on iptables, so hadn't thought of that. Thanks!

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 2022-07-15, Slavko via Exim-users <exim-users@exim.org> wrote:
> To OP: I will do not suggest to use as aggressive bans at all, as a lot
> of hosts try only once and then go away, thus banning them is only
> resource wasting...

Not my experience. A large number of hosts try every hour or two -
presumably they're part of a distributed net working its way through
possible credentials. (Why they think any of these addresses might
exist, I do not know - most of them don't.)
By implementing a 10-day ban for any auth failure, the number of
attempts per day drops by a factor of 5 to 8.

> You can use AUTH attempts counting in AUTH ACL and the do something with
> this value, eg. (i do not drop by this way, thus only idea):
>
> warn set acl_c_authcnt = ${eval10:$acl_c_authcnt+1}
>
> drop condition = ${if >{$acl_c_authcnt}{1}}
> condition = $authentication_failed
> logwrite = H=$sender_fullhost LAST FAILed: \
> $authenticated_fail_id

That only works on multiple AUTHs in the same session, doesn't it?

> I recently discovered (OK, i ugpraded it) fail2bans bantime auto
> incerement, whis i see as very useful for banning these toxics and to
> deal with false positives relative acceptable with short initial
> bantime:

Interesting, thanks. I don't know whether that's on my system (I
cannot be bothered with custom installations these days), but I'll
check.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 15/07/2022 17:11, Julian Bradfield via Exim-users wrote:
> Not my experience. A large number of hosts try every hour or two -

My practice, and I think it would help with this sort of
attacker, is to delay the auth response for a fail.
By 15 or 20 seconds. Most drop off by about ten, so
a) you've slowed them down and wasted their time
b) they never got an answer either way
c) it costs you very little (unless you're a far, far bigger
site han any of mine)

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 2022-07-15, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> My practice, and I think it would help with this sort of
> attacker, is to delay the auth response for a fail.
> By 15 or 20 seconds. Most drop off by about ten, so

How do you do this? Abusing server_condition doesn't work, as it's
only expanded if the base authentication succeeds.
(My authentication method is cram-md5.)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 15/07/2022 20:19, Julian Bradfield via Exim-users wrote:
> How do you do this? Abusing server_condition doesn't work, as it's
> only expanded if the base authentication succeeds.
> (My authentication method is cram-md5.)

I'm doing plain and login.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
D?a 15. júla 2022 20:04:37 UTC používate? Jeremy Harris via Exim-users <exim-users@exim.org> napísal:
>On 15/07/2022 20:19, Julian Bradfield via Exim-users wrote:
>> How do you do this? Abusing server_condition doesn't work, as it's
>> only expanded if the base authentication succeeds.
>> (My authentication method is cram-md5.)
>
>I'm doing plain and login.

IMO that is perfect job vor event system, to emit auth:failed event. But whole event systems
seems to be only about outgoing mails/connections.

Beside the auth failed event, i miss acl and error related events, eg, acl:reject,
acl:drop, acl:etc, or even more detailed, eg. acl:reject:stage (with log_message
in event_data variable), Ideally with connection/TLS error events, eg.
conn:nomail, conn:syntaxerr, etc, again with particular error in event_data.

regards


Slavko

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On Fri, 15 Jul 2022, Julian Bradfield via Exim-users wrote:

> I should like exim to drop the connection on a client AUTH failure.
> (Because as soon it's seen in the log, fail2ban will DROP the client IP,
> and so the exim process will hang around until the SMTP session times
> out.)

I haven't used fail2ban with exim, but are you sure that that is the
problem ? In my experience, fail2ban only stops *new* sessions.
Ah. but I have something close to Evgeniy's conntrack rule:
> Nevetheless, if you want to keep active connections unblocked, you may
> insert before fail2ban's rules your own rule, which allows packets for
> established connection to be passed. Example for Linux:
>
> iptables -I INPUT 1 -p tcp -m multiport --destination-ports 25,465,587 \
> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


If fail2ban does terminate the current session, then I am not sure that
exim can drop the connection without specific intent.
A legitimate client could give an incorrect password*, so exim should
normally allow at least one AUTH failure gracefully.
This would include waiting for an ack from the client.
If fail2ban has DROPped the current session, then exim will never
receive the ack, so will indeed wait for the session to timeout.

* Without a password database or manager, a MUA will ask the user
for the passwd at least once each session and we all make typos from time
to time.

> However, I can't see a way to do this. Am I missing something in the
> docs?

I don't think so.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 16 July 2022 18:09:40 BST, Slavko via Exim-users <exim-users@exim.org>
>>I'm doing plain and login.
>
>IMO that is perfect job vor event system, to emit auth:failed event.
>But whole event systems
>seems to be only about outgoing mails/connections.
>
>Beside the auth failed event, i miss acl and error related events, eg,
>acl:reject,
>acl:drop, acl:etc, or even more detailed, eg. acl:reject:stage (with
>log_message
>in event_data variable), Ideally with connection/TLS error events, eg.
>conn:nomail, conn:syntaxerr, etc, again with particular error in
>event_data.



Events are pretty easy to add:
- decide one is wanted
- decide what data to provide it
- find the code location
- add (probably) one line

This one seems reasonable. I'm less sure about some of your other suggestions - for example on acl reject?
You're already in an acl; why use an event to get into another?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
D?a 17. júla 2022 11:16:22 UTC používate? Jeremy Harris via Exim-users <exim-users@exim.org> napísal:

>>Beside the auth failed event, i miss acl and error related events, eg,
>>acl:reject,
>>acl:drop, acl:etc, or even more detailed, eg. acl:reject:stage (with
>>log_message
>>in event_data variable), Ideally with connection/TLS error events, eg.
>>conn:nomail, conn:syntaxerr, etc, again with particular error in
>>event_data.

>I'm less sure about some of your other suggestions - for example on acl reject?
>You're already in an acl; why use an event to get into another?

Consider that when you want to do something (eg. log out of exim) on
any reject (drop, etc), you have to add rule to every particular ACL, which
is prone to error (eg. forget to add it). Have common action at one place,
is exatly what events are for (if i properly understand it).

Thus adding these events can be considered as extension of ${acl...}
expansion and/or acl condition idea, which are intendended to prevent
repeating of ACL rules (or to structure confing into subroutines).

I have no idea how it will (can) affect performance. But IMO at least
deffers/rejects/drops can be usefull, eg. at some attacks, which can
be simple propagated outside of exim, to act on it.

The (incomming) TLS(465)/SMTP errors are not all are going ACL, thus
one have no other option to get/count them as parse log file, which (as
stated in docs) is not intended for machine processing. There are already
similar events for outgoing connections (eg. TLS errors), but are missing
for incomming side.

Some time ago i start to use redis's streams, from which one can relative
simple get items for particular timespan and do something on it, but i
cannot get all failures into it...

Consider eg. now relative common errors -- the "AUTH used when not
advertised" or HTTP (and other) connection attempts on 25 port... The
incoming TLS errors are relative common on 465 port (MSA), where i
have strict TLS settings, and old bots or scanners are knocking...

AFAIK the eximstats script doesn't count these TLS/SMTP errors as
connection rejections too, but IMO they do not differs from drops in
result...

regards

Slavko

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: drop connection on auth failure [ In reply to ]
On 17/07/2022 12:16, Jeremy Harris via Exim-users wrote:
> On 16 July 2022 18:09:40 BST, Slavko via Exim-users <exim-users@exim.org>
>> IMO that is perfect job vor event system, to emit auth:failed event.
>> But whole event systems
>> seems to be only about outgoing mails/connections.
>>
>> Beside the auth failed event, i miss acl and error related events, eg,
>> acl:reject,
>> acl:drop, acl:etc, or even more detailed, eg. acl:reject:stage (with
>> log_message
>> in event_data variable), Ideally with connection/TLS error events, eg.
>> conn:nomail, conn:syntaxerr, etc, again with particular error in
>> event_data.
>
>
>
> Events are pretty easy to add:
> - decide one is wanted
> - decide what data to provide it
> - find the code location
> - add (probably) one line
>
> This one seems reasonable.

Committed as 7a97480c2b, 9b3a1518f5.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/