Client Authentication

[Erik Nørgaard]

On 24/03/2013 05:22, Doug Hardie wrote:

> Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works.

Have you investigated to identify where these attacks originate from? 
Even if the IP is not fixed, they often belong to ranges assigned to a 
particular country or even a particular ISP.

AFAIK best practice is to use port 25 for relaying mail between the 
servers, hence your server should only allow incomming mail on this 
port. This does not require authentication.

Users should connect to port 587 on your server to send mail. This 
ofcourse requires authentication. If your users are not mobile, then you 
can simply block port 587 for external connections.

Even if you have mobile users you can likely make some safe assumptions 
about where they will connect from, for example only national connections.

> The situation is such that most of our users are older and their computer is a hand-me-down so they can talk to their grandchildren.  Passwords are a great inconvenience for them and create numerous problems with remembering them even when they are simple.

So, I assume that each user has a PC or laptop for personal use only? Do 
you need mail passwords to be the same as computer or network passwords? 
If not then help your users choose a strong mail password and enter it 
in the mail client's password manager.

Writing down a password can actually be a better solution than bad 
passwords. If people have a private PC at home, it may even be 
acceptable to stick a post-it to the screen.

Consider implementing a password policy that is enforced by technical 
means, requireing regular change and strength test before a new password 
is accepted. You may get heaps of user complaints with this though.

But I think that users aversion for good passwords is that they have no 
idea of how to pick one that is easy to remember yet hard to guess, and 
that they may have to authenticate many times with many different 
passwords throughout the day.

> This situation requires a technical solution.
> I have been investigating the use of client authentication through SSL.

With certificates you will likely encounter user problems as with passwords:

You can install the certificates in the users keychain, with or without 
password protection or protected by the system password. This may 
actually be OK if that requires physical access to the user's computer.

Or you can use some card reader as you mention, but if users have 
problem managing a piece of paper with a password, how will they do with 
a card? You will have to deal with lost cards in stead of forgotten 
passwords. From the description of your users I don't think this is a 
solution.

In either case, whenever a certificate expire you will have to update it 
and help install the new certificate, and it becomes a hazle if the 
users gets a new computer.

> Any ideas/suggestions on this will be appreciated.  Thanks,
I think, given user's abilities the best option is use port 587 for 
authenticated outgoing SMTP with STARTTLS and a server side certificate. 
Restrict external access to port 587.

Use mail client's password manager to store mail password and help users 
choose a strong password which will only be used once.

Or, you can make away with the mail client and offer a web interface. 
Then mail can only be relayed for connections from localhost.

BR, Erik