Security risk of POP3 & IMAP protocols

Dennis Davis D.H.Davis at bath.ac.uk
Fri Feb 13 11:17:57 EST 2009


On Fri, 13 Feb 2009, Alain Williams wrote:

> From: Alain Williams <addw at phcomp.co.uk>
> To: Cyrus Mailing List <info-cyrus at lists.andrew.cmu.edu>
> Date: Fri, 13 Feb 2009 15:30:46 +0000
> Subject: Re: Security risk of POP3 & IMAP protocols

...

> > Yes. Anything that opens a bunch of mailboxes at the same time
> > might be doing way more than that. You should be measuring
> > "failed attempts", not "attempts".
>
> Yes, but I do the rate limiting with iptables (Linux firewall).  I
> don't know how to feedback failed attempts to iptables.

There are probably several ways to do this.  But, as a suggestion,
have a look at sshblack from:

http://www.pettingers.org/code/sshblack.html

It's intended for use against ssh brute-force attempts.  However
it's a perl script runnning tail on a log looking for suspicious
activity.  So should be easily adaptable for other purposes, along
with the iptables scripts included.  I expect the only wrinkle with
IMAP is that you'll want to block both port 143 and 993.

I fire up a small IMAP server with:

CYRUS_VERBOSE=1 ... 

and keep the logs separate.  Failed login attempts show up in the
logs as lines of the form:

Feb 13 15:42:25 bahamontes imap[10596]: badlogin: hinault.bath.ac.uk [138.38.56.28] PLAIN [SASL(-13): authentication failure: Password verification failed]

so it should be easy for a perl script to pick out the badly-behaved
client.

As others have pointed out, webmail servers are a particular
pain.  You'll probably need to whitelist your own webmail servers.
Otherwise the external blackhats will be able to persuade your IMAP
server to deny access to your webmail server(s).  A neat DOS attack
*and* lots of unhappy customers!

You should also consider how you'd harden up your webmail servers
against brute force attacks.  Not sure how you'd do that as many,
if not all webmail servers, rely on the IMAP server to validate the
connection.

Usual disclaimer: I've never tried doing this myself.  This advice
                  is worth what you paid for it.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101


More information about the Info-cyrus mailing list