Client Authentication
Erik Nørgaard
norgaard at locolomo.org
Sun Mar 24 10:20:55 UTC 2013
On 24/03/2013 05:22, Doug Hardie wrote:
> Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works.
Have you investigated to identify where these attacks originate from?
Even if the IP is not fixed, they often belong to ranges assigned to a
particular country or even a particular ISP.
AFAIK best practice is to use port 25 for relaying mail between the
servers, hence your server should only allow incomming mail on this
port. This does not require authentication.
Users should connect to port 587 on your server to send mail. This
ofcourse requires authentication. If your users are not mobile, then you
can simply block port 587 for external connections.
Even if you have mobile users you can likely make some safe assumptions
about where they will connect from, for example only national connections.
> The situation is such that most of our users are older and their computer is a hand-me-down so they can talk to their grandchildren. Passwords are a great inconvenience for them and create numerous problems with remembering them even when they are simple.
So, I assume that each user has a PC or laptop for personal use only? Do
you need mail passwords to be the same as computer or network passwords?
If not then help your users choose a strong mail password and enter it
in the mail client's password manager.
Writing down a password can actually be a better solution than bad
passwords. If people have a private PC at home, it may even be
acceptable to stick a post-it to the screen.
Consider implementing a password policy that is enforced by technical
means, requireing regular change and strength test before a new password
is accepted. You may get heaps of user complaints with this though.
But I think that users aversion for good passwords is that they have no
idea of how to pick one that is easy to remember yet hard to guess, and
that they may have to authenticate many times with many different
passwords throughout the day.
> This situation requires a technical solution.
> I have been investigating the use of client authentication through SSL.
With certificates you will likely encounter user problems as with passwords:
You can install the certificates in the users keychain, with or without
password protection or protected by the system password. This may
actually be OK if that requires physical access to the user's computer.
Or you can use some card reader as you mention, but if users have
problem managing a piece of paper with a password, how will they do with
a card? You will have to deal with lost cards in stead of forgotten
passwords. From the description of your users I don't think this is a
solution.
In either case, whenever a certificate expire you will have to update it
and help install the new certificate, and it becomes a hazle if the
users gets a new computer.
> Any ideas/suggestions on this will be appreciated. Thanks,
I think, given user's abilities the best option is use port 587 for
authenticated outgoing SMTP with STARTTLS and a server side certificate.
Restrict external access to port 587.
Use mail client's password manager to store mail password and help users
choose a strong password which will only be used once.
Or, you can make away with the mail client and offer a web interface.
Then mail can only be relayed for connections from localhost.
BR, Erik
More information about the freebsd-questions
mailing list