Group: netwin.surgemail
From: "Neil Herber (nospam)" <nospam@eton.ca>
Subject: [SurgeMail List] locking down logins ...
Date: Wed, 25 Jan 2017 13:04:15 -0500

My server is getting hammered by POP login attempts.

I want to force all my real clients to use SSL IMAP only. What settings do I need to:

1) force authenticated SSL logins for IMAP

2) completely ignore any POP logins (or force SSL if ignoring is a bad idea)

3) force authenticated SSL logins for SMTP

Any other suggestions to get rid of these pests welcome.

Note: I thought I had already set things up to force SSL, but I keep getting these failed log messages:

25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx

Neil


-- 
Neil Herber

From: Wayne Lee <linkconnect@googlemail.com>
Date: Wed, 25 Jan 2017 18:27:44 +0000

--001a114dde4a8aaf8e0546ef6322
Content-Type: text/plain; charset=UTF-8

Block it at the firewall


Wayne

On 25 January 2017 at 18:04, Neil Herber (nospam) <nospam@eton.ca> wrote:

> My server is getting hammered by POP login attempts.
>
> I want to force all my real clients to use SSL IMAP only. What settings do
> I need to:
>
> 1) force authenticated SSL logins for IMAP
>
> 2) completely ignore any POP logins (or force SSL if ignoring is a bad
> idea)
>
> 3) force authenticated SSL logins for SMTP
>
> Any other suggestions to get rid of these pests welcome.
>
> Note: I thought I had already set things up to force SSL, but I keep
> getting these failed log messages:
>
> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>
>
> Neil
>
> --
> Neil Herber
>
>

--001a114dde4a8aaf8e0546ef6322
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Block it at the firewall<div><br></div><div><br></div><div=
>Wayne</div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"=
>On 25 January 2017 at 18:04, Neil Herber (nospam) <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:nospam@eton.ca" target=3D"_blank">nospam@eton.ca</a>&gt;</s=
pan> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">
 =20

   =20
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <p>My server is getting hammered by POP login attempts.</p>
    <p>I want to force all my real clients to use SSL IMAP only. What
      settings do I need to:<br>
    </p>
    <p>1) force authenticated SSL logins for IMAP</p>
    <p>2) completely ignore any POP logins (or force SSL if ignoring is
      a bad idea)</p>
    <p>3) force authenticated SSL logins for SMTP</p>
    <p>Any other suggestions to get rid of these pests welcome.</p>
    <p>Note: I thought I had already set things up to force SSL, but I
      keep getting these failed log messages:</p>
    <p>
      </p><blockquote type=3D"cite">
        <pre style=3D"font-size:8pt;font-family:&quot;Courier New&quot;;col=
or:rgb(0,0,0);font-style:normal;font-variant-ligatures:normal;font-variant-=
caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-i=
ndent:0px;text-transform:none;word-spacing:0px;background-color:rgb(254,254=
,236)">25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211=
..174.66) xx-client-xx
</pre><span class=3D"HOEnZb"><font color=3D"#888888">
      </font></span></blockquote><span class=3D"HOEnZb"><font color=3D"#888=
888">
      <br>
    </font></span><p></p><span class=3D"HOEnZb"><font color=3D"#888888">
    <p>Neil<br>
    </p>
    <br>
    <pre class=3D"m_5351495685068231623moz-signature" cols=3D"72">--=20
Neil Herber</pre>
  </font></span></div>

</blockquote></div><br></div>

--001a114dde4a8aaf8e0546ef6322--


From: Ed <ed@easent.net>
Date: Wed, 25 Jan 2017 13:28:08 -0500

Hi,

Go to the mail services page and put  disabled  on any ports you don't 
want surge to answer on.

There are a couple other settings for the SMTP and it depends on how you 
want that to work.  I'd be careful with that because not all servers 
relaying to you are going to use SSL.

--Ed

On 01/25/2017 01:04 PM, Neil Herber (nospam) wrote:
> My server is getting hammered by POP login attempts.
>
> I want to force all my real clients to use SSL IMAP only. What settings
> do I need to:
>
> 1) force authenticated SSL logins for IMAP
>
> 2) completely ignore any POP logins (or force SSL if ignoring is a bad idea)
>
> 3) force authenticated SSL logins for SMTP
>
> Any other suggestions to get rid of these pests welcome.
>
> Note: I thought I had already set things up to force SSL, but I keep
> getting these failed log messages:
>
>> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>
> Neil
>
>
> --
> Neil Herber
>

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net


From: "Neil Herber (nospam)" <nospam@eton.ca>
Date: Wed, 25 Jan 2017 16:07:39 -0500

This is a multi-part message in MIME format.
--------------91EE089A30E58E662B71D392
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

I already have a huge list of IP blocks stopped at the firewall but
these hackers/spammers/botnets just pop (no pun intended) up in another
country and carry on.

I am hoping if SurgeMail is not listening for POP that the bots will
stop trying if they get no response. But that may be wishful thinking.
At least I won't have a huge pile of entries in the login_failed log ...

Neil


On 2017-01-25 1:27 PM, Wayne Lee wrote:
> Block it at the firewall
>
>
> Wayne
>
> On 25 January 2017 at 18:04, Neil Herber (nospam) <nospam@eton.ca
> <mailto:nospam@eton.ca>> wrote:
>
>     My server is getting hammered by POP login attempts.
>
>     I want to force all my real clients to use SSL IMAP only. What
>     settings do I need to:
>
>     1) force authenticated SSL logins for IMAP
>
>     2) completely ignore any POP logins (or force SSL if ignoring is a
>     bad idea)
>
>     3) force authenticated SSL logins for SMTP
>
>     Any other suggestions to get rid of these pests welcome.
>
>     Note: I thought I had already set things up to force SSL, but I
>     keep getting these failed log messages:
>
>>     25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>
>     Neil
>
>
>     -- 
>     Neil Herber
>
>

-- 
Neil Herber


--------------91EE089A30E58E662B71D392
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I already have a huge list of IP blocks stopped at the firewall
      but these hackers/spammers/botnets just pop (no pun intended) up
      in another country and carry on.</p>
    <p>I am hoping if SurgeMail is not listening for POP that the bots
      will stop trying if they get no response. But that may be wishful
      thinking. At least I won't have a huge pile of entries in the
      login_failed log ...<br>
    </p>
    <p>Neil<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 2017-01-25 1:27 PM, Wayne Lee wrote:<br>
    </div>
    <blockquote
cite="mid:CACde6_7d41O6BjR-nFJfmbchOPMt53GcfW61SAr34mk5fNdD1Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">Block it at the firewall
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Wayne</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On 25 January 2017 at 18:04, Neil
          Herber (nospam) <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:nospam@eton.ca" target="_blank">nospam@eton.ca</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>My server is getting hammered by POP login attempts.</p>
              <p>I want to force all my real clients to use SSL IMAP
                only. What settings do I need to:<br>
              </p>
              <p>1) force authenticated SSL logins for IMAP</p>
              <p>2) completely ignore any POP logins (or force SSL if
                ignoring is a bad idea)</p>
              <p>3) force authenticated SSL logins for SMTP</p>
              <p>Any other suggestions to get rid of these pests
                welcome.</p>
              <p>Note: I thought I had already set things up to force
                SSL, but I keep getting these failed log messages:</p>
              <p> </p>
              <blockquote type="cite">
                <pre style="font-size:8pt;font-family:&quot;Courier New&quot;;color:rgb(0,0,0);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(254,254,236)">25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
</pre>
                <span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
              <span class="HOEnZb"><font color="#888888"> <br>
                </font></span><span class="HOEnZb"><font color="#888888">
                  <p>Neil<br>
                  </p>
                  <br>
                  <pre class="m_5351495685068231623moz-signature" cols="72">-- 
Neil Herber</pre>
                </font></span></div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
  </body>
</html>

--------------91EE089A30E58E662B71D392--


From: "Neil Herber (nospam)" <nospam@eton.ca>
Date: Wed, 25 Jan 2017 16:23:19 -0500

This is a multi-part message in MIME format.
--------------992343628E12EAFF331834EC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Thanks Ed

I will disable POP and see if that helps.

If I understand correctly, I need to allow inbound SMTP on port 25 to
get mail from other MXs.

I think that:

>
>       g_ssl_require_login - IP wildcard of connections fur users
>       needing to use SSL
>
> This setting forces all matching IP addresses to use SSL for any
> action that requires a user login. eg: POP, IMAP and SMTP
> authentication but not plain SMTP. So this is ideal if you want all
> users to use SSL but still want email to come in from non SSL SMTP
> servers.
>
> Syntax: g_ssl_require_login string
>

.... if set to "*" should force everyone to use a secure login.

Neil


On 2017-01-25 1:28 PM, Ed wrote:
> Hi,
>
> Go to the mail services page and put  disabled  on any ports you don't
> want surge to answer on.
>
> There are a couple other settings for the SMTP and it depends on how
> you want that to work.  I'd be careful with that because not all
> servers relaying to you are going to use SSL.
>
> --Ed
>
> On 01/25/2017 01:04 PM, Neil Herber (nospam) wrote:
>> My server is getting hammered by POP login attempts.
>>
>> I want to force all my real clients to use SSL IMAP only. What settings
>> do I need to:
>>
>> 1) force authenticated SSL logins for IMAP
>>
>> 2) completely ignore any POP logins (or force SSL if ignoring is a
>> bad idea)
>>
>> 3) force authenticated SSL logins for SMTP
>>
>> Any other suggestions to get rid of these pests welcome.
>>
>> Note: I thought I had already set things up to force SSL, but I keep
>> getting these failed log messages:
>>
>>> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip
>>> (115.211.174.66) xx-client-xx
>>
>> Neil
>>
>>
>> -- 
>> Neil Herber
>>
>

-- 
Neil Herber


--------------992343628E12EAFF331834EC
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Thanks Ed</p>
    <p>I will disable POP and see if that helps.</p>
    <p>If I understand correctly, I need to allow inbound SMTP on port
      25 to get mail from other MXs.</p>
    I think that:<br>
    <br>
    <blockquote type="cite">
      <h3 style="font-size: 1.17em; font-family: Arial, Helvetica;
        margin: 1.2em 0px 0.6em; padding: 0px; color: rgb(0, 0, 0);
        font-style: normal; font-variant-ligatures: normal;
        font-variant-caps: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240);">g_ssl_require_login - IP wildcard of connections fur
        users needing to use SSL</h3>
      <p style="margin-top: 0px; margin-bottom: 0.7em; padding: 0px;
        color: rgb(0, 0, 0); font-family: Verdana, Arial, Helvetica;
        font-size: 12.8px; font-style: normal; font-variant-ligatures:
        normal; font-variant-caps: normal; font-weight: normal;
        letter-spacing: normal; orphans: 2; text-align: start;
        text-indent: 0px; text-transform: none; white-space: normal;
        widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
        background-color: rgb(240, 240, 240);">This setting forces all
        matching IP addresses to use SSL for any action that requires a
        user login. eg: POP, IMAP and SMTP authentication but not plain
        SMTP. So this is ideal if you want all users to use SSL but
        still want email to come in from non SSL SMTP servers.<br>
      </p>
      <p style="margin-top: 0px; margin-bottom: 0.7em; padding: 0px;
        color: rgb(0, 0, 0); font-family: Verdana, Arial, Helvetica;
        font-size: 12.8px; font-style: normal; font-variant-ligatures:
        normal; font-variant-caps: normal; font-weight: normal;
        letter-spacing: normal; orphans: 2; text-align: start;
        text-indent: 0px; text-transform: none; white-space: normal;
        widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
        background-color: rgb(240, 240, 240);">Syntax:
        g_ssl_require_login string</p>
    </blockquote>
    <br>
    ... if set to "*" should force everyone to use a secure login.<br>
    <br>
    Neil<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 2017-01-25 1:28 PM, Ed wrote:<br>
    </div>
    <blockquote
      cite="mid:c2bda25a-19cc-6c1b-7962-f41545b755eb@easent.net"
      type="cite">Hi,
      <br>
      <br>
      Go to the mail services page and put  disabled  on any ports you
      don't want surge to answer on.
      <br>
      <br>
      There are a couple other settings for the SMTP and it depends on
      how you want that to work.  I'd be careful with that because not
      all servers relaying to you are going to use SSL.
      <br>
      <br>
      --Ed
      <br>
      <br>
      On 01/25/2017 01:04 PM, Neil Herber (nospam) wrote:
      <br>
      <blockquote type="cite">My server is getting hammered by POP login
        attempts.
        <br>
        <br>
        I want to force all my real clients to use SSL IMAP only. What
        settings
        <br>
        do I need to:
        <br>
        <br>
        1) force authenticated SSL logins for IMAP
        <br>
        <br>
        2) completely ignore any POP logins (or force SSL if ignoring is
        a bad idea)
        <br>
        <br>
        3) force authenticated SSL logins for SMTP
        <br>
        <br>
        Any other suggestions to get rid of these pests welcome.
        <br>
        <br>
        Note: I thought I had already set things up to force SSL, but I
        keep
        <br>
        getting these failed log messages:
        <br>
        <br>
        <blockquote type="cite">25 10:49:03.66:6852: xx-client-xx: pop:
          SSL required for ip (115.211.174.66) xx-client-xx
          <br>
        </blockquote>
        <br>
        Neil
        <br>
        <br>
        <br>
        --
        <br>
        Neil Herber
        <br>
        <br>
      </blockquote>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
  </body>
</html>

--------------992343628E12EAFF331834EC--


From: surgemail-support <surgemail-support@netwinsite.com>
Date: Thu, 26 Jan 2017 10:57:08 +1300

This is a multi-part message in MIME format.
--------------54FAE6BE251A4B57E891DADF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

The question is what are you trying to fix exactly,

     1) Is it just the log entries that bother you.

     2) is it load caused by the probing

     3) is it security.

if it's '3', then you probably already have it fixed with requiring ssl, 
but that doesn't really stop probing it just stops 'dumb' probing, the 
settings below and on the referenced web page will help a lot.

If it's '1', then stop reading them :-)

If it's '2', then it's probably not really causing significant load 
(unless you have reason to believe otherwise...)

Here are some settings I would use...

# Block guessing if a user tries an obvious admin account
G_HACKER_POISON "root@*,administrator@*"

# Only allow smtp logins if the user has previously logged in via 
imap/pop from the same address
G_SAFE_SMTP "true"

# Alert users when logins occur from unknown addresses that are not from 
australia or usa...
G_SAFE_WARNING "true"
g_safe_country "us,au"


# if you really want to disable pop, which is valid enough if your users 
are all imap based...
g_pop_port "disabled"

You may find other info on this page useful:

     http://netwinsite.com/surgemail/help/hackers.htm

ChrisP.


On 26/01/2017 7:04 a.m., surgemail-list@netwinsite.com wrote:
>
> My server is getting hammered by POP login attempts.
>
> I want to force all my real clients to use SSL IMAP only. What 
> settings do I need to:
>
> 1) force authenticated SSL logins for IMAP
>
> 2) completely ignore any POP logins (or force SSL if ignoring is a bad 
> idea)
>
> 3) force authenticated SSL logins for SMTP
>
> Any other suggestions to get rid of these pests welcome.
>
> Note: I thought I had already set things up to force SSL, but I keep 
> getting these failed log messages:
>
>> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>
> Neil
>
>
> -- 
> Neil Herber


--------------54FAE6BE251A4B57E891DADF
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>The question is what are you trying to fix exactly,</p>
    <p>    1) Is it just the log entries that bother you.</p>
    <p>    2) is it load caused by the probing</p>
    <p>    3) is it security.</p>
    <p>if it's '3', then you probably already have it fixed with
      requiring ssl, but that doesn't really stop probing it just stops
      'dumb' probing, the settings below and on the referenced web page
      will help a lot.<br>
    </p>
    <p>If it's '1', then stop reading them :-)</p>
    <p>If it's '2', then it's probably not really causing significant
      load (unless you have reason to believe otherwise...)</p>
    <p>Here are some settings I would use...<br>
    </p>
    <p><span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;"># Block guessing
        if a user tries an obvious admin account<br>
        G_HACKER_POISON "root@*,administrator@*"<span
          class="Apple-converted-space"> </span></span><br style="color:
        rgb(0, 0, 0); font-family: Verdana, Arial, Helvetica; font-size:
        12.8px; font-style: normal; font-variant-ligatures: normal;
        font-variant-caps: normal; font-weight: normal; letter-spacing:
        normal; orphans: 2; text-align: start; text-indent: 0px;
        text-transform: none; white-space: normal; widows: 2;
        word-spacing: 0px; -webkit-text-stroke-width: 0px;
        background-color: rgb(240, 240, 240);">
      <br style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240);">
      <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;"># Only allow
        smtp logins if the user has previously logged in via imap/pop
        from the same address</span><br style="color: rgb(0, 0, 0);
        font-family: Verdana, Arial, Helvetica; font-size: 12.8px;
        font-style: normal; font-variant-ligatures: normal;
        font-variant-caps: normal; font-weight: normal; letter-spacing:
        normal; orphans: 2; text-align: start; text-indent: 0px;
        text-transform: none; white-space: normal; widows: 2;
        word-spacing: 0px; -webkit-text-stroke-width: 0px;
        background-color: rgb(240, 240, 240);">
      <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;">G_SAFE_SMTP
        "true"</span><br style="color: rgb(0, 0, 0); font-family:
        Verdana, Arial, Helvetica; font-size: 12.8px; font-style:
        normal; font-variant-ligatures: normal; font-variant-caps:
        normal; font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240);">
      <br style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240);">
      <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;"># Alert users
        when logins occur from unknown addresses that are not from
        australia or usa...</span><br style="color: rgb(0, 0, 0);
        font-family: Verdana, Arial, Helvetica; font-size: 12.8px;
        font-style: normal; font-variant-ligatures: normal;
        font-variant-caps: normal; font-weight: normal; letter-spacing:
        normal; orphans: 2; text-align: start; text-indent: 0px;
        text-transform: none; white-space: normal; widows: 2;
        word-spacing: 0px; -webkit-text-stroke-width: 0px;
        background-color: rgb(240, 240, 240);">
      <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;">G_SAFE_WARNING
        "true"</span><br style="color: rgb(0, 0, 0); font-family:
        Verdana, Arial, Helvetica; font-size: 12.8px; font-style:
        normal; font-variant-ligatures: normal; font-variant-caps:
        normal; font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240);">
      <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;">g_safe_country
        "us,au"<span class="Apple-converted-space"> <br>
        </span></span></p>
    <p><span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
        Helvetica; font-size: 12.8px; font-style: normal;
        font-variant-ligatures: normal; font-variant-caps: normal;
        font-weight: normal; letter-spacing: normal; orphans: 2;
        text-align: start; text-indent: 0px; text-transform: none;
        white-space: normal; widows: 2; word-spacing: 0px;
        -webkit-text-stroke-width: 0px; background-color: rgb(240, 240,
        240); display: inline !important; float: none;"><span
          class="Apple-converted-space"><br>
        </span></span></p>
    <p># if you really want to disable pop, which is valid enough if
      your users are all imap based...<br>
      g_pop_port "disabled" <br>
      <br>
    </p>
    <p>You may find other info on this page useful:</p>
    <p>    <a class="moz-txt-link-freetext" href="http://netwinsite.com/surgemail/help/hackers.htm">http://netwinsite.com/surgemail/help/hackers.htm</a></p>
    <p>ChrisP.</p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 26/01/2017 7:04 a.m.,
      <a class="moz-txt-link-abbreviated" href="mailto:surgemail-list@netwinsite.com">surgemail-list@netwinsite.com</a> wrote:<br>
    </div>
    <blockquote cite="mid:9cbc9055-9e0e-aa57-5af6-699969e6727a@eton.ca"
      type="cite">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <p>My server is getting hammered by POP login attempts.</p>
      <p>I want to force all my real clients to use SSL IMAP only. What
        settings do I need to:<br>
      </p>
      <p>1) force authenticated SSL logins for IMAP</p>
      <p>2) completely ignore any POP logins (or force SSL if ignoring
        is a bad idea)</p>
      <p>3) force authenticated SSL logins for SMTP</p>
      <p>Any other suggestions to get rid of these pests welcome.</p>
      <p>Note: I thought I had already set things up to force SSL, but I
        keep getting these failed log messages:</p>
      <p> </p>
      <blockquote type="cite">
        <pre style="font-size: 8pt; font-family: &quot;Courier New&quot;; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(254, 254, 236);">25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
</pre>
      </blockquote>
      <br>
      <p>Neil<br>
      </p>
      <br>
      <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------54FAE6BE251A4B57E891DADF--


From: "Neil Herber (nospam)" <nospam@eton.ca>
Date: Wed, 25 Jan 2017 18:33:27 -0500

This is a multi-part message in MIME format.
--------------B744100C0B30B8389E24F821
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Thanks for the tutorial, Chris.

I am just trying to reduce the attack surface on my server which hosts
both SurgeMail and Apache with several vhosts.

I have put all of SM management behind a reverse proxy that gets forced
to HTTPS and requires authentication.

I have tried to force SurgeWeb to require SSL.

I periodically scan logs looking for persistent attackers or targets and
I then I add IP blocks to the firewall or add Apache alias rules that
silently redirect "popular target URLs" to a "phpwpoison" page.

So to answer your questions: 1)the log entries do bother me, but I will
try to reduce my inspection of them, 2)the load is negligible at
present, but they did saturate my connection when they managed to
brute-force the password to WordPress management, 3)yes, it is security
and I have tried to ensure that any of the login areas on the server
require SSL.

So I am probably pretty good, but I think I will still disable POP.

Thanks

Neil


On 2017-01-25 4:57 PM, surgemail-support wrote:
>
> The question is what are you trying to fix exactly,
>
>     1) Is it just the log entries that bother you.
>
>     2) is it load caused by the probing
>
>     3) is it security.
>
> if it's '3', then you probably already have it fixed with requiring
> ssl, but that doesn't really stop probing it just stops 'dumb'
> probing, the settings below and on the referenced web page will help a
> lot.
>
> If it's '1', then stop reading them :-)
>
> If it's '2', then it's probably not really causing significant load
> (unless you have reason to believe otherwise...)
>
> Here are some settings I would use...
>
> # Block guessing if a user tries an obvious admin account
> G_HACKER_POISON "root@*,administrator@*" 
>
> # Only allow smtp logins if the user has previously logged in via
> imap/pop from the same address
> G_SAFE_SMTP "true"
>
> # Alert users when logins occur from unknown addresses that are not
> from australia or usa...
> G_SAFE_WARNING "true"
> g_safe_country "us,au"
>
>
> # if you really want to disable pop, which is valid enough if your
> users are all imap based...
> g_pop_port "disabled"
>
> You may find other info on this page useful:
>
>     http://netwinsite.com/surgemail/help/hackers.htm
>
> ChrisP.
>
>
> On 26/01/2017 7:04 a.m., surgemail-list@netwinsite.com wrote:
>>
>> My server is getting hammered by POP login attempts.
>>
>> I want to force all my real clients to use SSL IMAP only. What
>> settings do I need to:
>>
>> 1) force authenticated SSL logins for IMAP
>>
>> 2) completely ignore any POP logins (or force SSL if ignoring is a
>> bad idea)
>>
>> 3) force authenticated SSL logins for SMTP
>>
>> Any other suggestions to get rid of these pests welcome.
>>
>> Note: I thought I had already set things up to force SSL, but I keep
>> getting these failed log messages:
>>
>>> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>>
>> Neil
>>
>>
>> -- 
>> Neil Herber
>

-- 
Neil Herber


--------------B744100C0B30B8389E24F821
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Thanks for the tutorial, Chris.</p>
    <p>I am just trying to reduce the attack surface on my server which
      hosts both SurgeMail and Apache with several vhosts.</p>
    <p>I have put all of SM management behind a reverse proxy that gets
      forced to HTTPS and requires authentication.</p>
    <p>I have tried to force SurgeWeb to require SSL.</p>
    <p>I periodically scan logs looking for persistent attackers or
      targets and I then I add IP blocks to the firewall or add Apache
      alias rules that silently redirect "popular target URLs" to a
      "phpwpoison" page.</p>
    <p>So to answer your questions: 1)the log entries do bother me, but
      I will try to reduce my inspection of them, 2)the load is
      negligible at present, but they did saturate my connection when
      they managed to brute-force the password to WordPress management,
      3)yes, it is security and I have tried to ensure that any of the
      login areas on the server require SSL.</p>
    <p>So I am probably pretty good, but I think I will still disable
      POP.</p>
    <p>Thanks</p>
    <p>Neil<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 2017-01-25 4:57 PM,
      surgemail-support wrote:<br>
    </div>
    <blockquote
      cite="mid:52ebe482-bdde-2623-99da-6360cf0f107b@netwinsite.com"
      type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      <p>The question is what are you trying to fix exactly,</p>
      <p>    1) Is it just the log entries that bother you.</p>
      <p>    2) is it load caused by the probing</p>
      <p>    3) is it security.</p>
      <p>if it's '3', then you probably already have it fixed with
        requiring ssl, but that doesn't really stop probing it just
        stops 'dumb' probing, the settings below and on the referenced
        web page will help a lot.<br>
      </p>
      <p>If it's '1', then stop reading them :-)</p>
      <p>If it's '2', then it's probably not really causing significant
        load (unless you have reason to believe otherwise...)</p>
      <p>Here are some settings I would use...<br>
      </p>
      <p><span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;"># Block
          guessing if a user tries an obvious admin account<br>
          G_HACKER_POISON "root@*,administrator@*"<span
            class="Apple-converted-space"> </span></span><br
          style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240);">
        <br style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240);">
        <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;"># Only
          allow smtp logins if the user has previously logged in via
          imap/pop from the same address</span><br style="color: rgb(0,
          0, 0); font-family: Verdana, Arial, Helvetica; font-size:
          12.8px; font-style: normal; font-variant-ligatures: normal;
          font-variant-caps: normal; font-weight: normal;
          letter-spacing: normal; orphans: 2; text-align: start;
          text-indent: 0px; text-transform: none; white-space: normal;
          widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
          background-color: rgb(240, 240, 240);">
        <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;">G_SAFE_SMTP
          "true"</span><br style="color: rgb(0, 0, 0); font-family:
          Verdana, Arial, Helvetica; font-size: 12.8px; font-style:
          normal; font-variant-ligatures: normal; font-variant-caps:
          normal; font-weight: normal; letter-spacing: normal; orphans:
          2; text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240);">
        <br style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240);">
        <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;"># Alert
          users when logins occur from unknown addresses that are not
          from australia or usa...</span><br style="color: rgb(0, 0, 0);
          font-family: Verdana, Arial, Helvetica; font-size: 12.8px;
          font-style: normal; font-variant-ligatures: normal;
          font-variant-caps: normal; font-weight: normal;
          letter-spacing: normal; orphans: 2; text-align: start;
          text-indent: 0px; text-transform: none; white-space: normal;
          widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
          background-color: rgb(240, 240, 240);">
        <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;">G_SAFE_WARNING
          "true"</span><br style="color: rgb(0, 0, 0); font-family:
          Verdana, Arial, Helvetica; font-size: 12.8px; font-style:
          normal; font-variant-ligatures: normal; font-variant-caps:
          normal; font-weight: normal; letter-spacing: normal; orphans:
          2; text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240);">
        <span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;">g_safe_country
          "us,au"<span class="Apple-converted-space"> <br>
          </span></span></p>
      <p><span style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
          Helvetica; font-size: 12.8px; font-style: normal;
          font-variant-ligatures: normal; font-variant-caps: normal;
          font-weight: normal; letter-spacing: normal; orphans: 2;
          text-align: start; text-indent: 0px; text-transform: none;
          white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-stroke-width: 0px; background-color: rgb(240,
          240, 240); display: inline !important; float: none;"><span
            class="Apple-converted-space"><br>
          </span></span></p>
      <p># if you really want to disable pop, which is valid enough if
        your users are all imap based...<br>
        g_pop_port "disabled" <br>
        <br>
      </p>
      <p>You may find other info on this page useful:</p>
      <p>    <a moz-do-not-send="true" class="moz-txt-link-freetext"
          href="http://netwinsite.com/surgemail/help/hackers.htm">http://netwinsite.com/surgemail/help/hackers.htm</a></p>
      <p>ChrisP.</p>
      <p><br>
      </p>
      <div class="moz-cite-prefix">On 26/01/2017 7:04 a.m., <a
          moz-do-not-send="true" class="moz-txt-link-abbreviated"
          href="mailto:surgemail-list@netwinsite.com">surgemail-list@netwinsite.com</a>
        wrote:<br>
      </div>
      <blockquote
        cite="mid:9cbc9055-9e0e-aa57-5af6-699969e6727a@eton.ca"
        type="cite">
        <meta http-equiv="content-type" content="text/html;
          charset=utf-8">
        <p>My server is getting hammered by POP login attempts.</p>
        <p>I want to force all my real clients to use SSL IMAP only.
          What settings do I need to:<br>
        </p>
        <p>1) force authenticated SSL logins for IMAP</p>
        <p>2) completely ignore any POP logins (or force SSL if ignoring
          is a bad idea)</p>
        <p>3) force authenticated SSL logins for SMTP</p>
        <p>Any other suggestions to get rid of these pests welcome.</p>
        <p>Note: I thought I had already set things up to force SSL, but
          I keep getting these failed log messages:</p>
        <p> </p>
        <blockquote type="cite">
          <pre style="font-size: 8pt; font-family: &quot;Courier New&quot;; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(254, 254, 236);">25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
</pre>
        </blockquote>
        <br>
        <p>Neil<br>
        </p>
        <br>
        <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
      </blockquote>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
  </body>
</html>

--------------B744100C0B30B8389E24F821--


From: Ed <ed@easent.net>
Date: Wed, 25 Jan 2017 18:56:28 -0500

Hi,

*** I have tried to force SurgeWeb to require SSL ***

This is easily done via the surgeweb settings.  We in fact do this.

--Ed

On 01/25/2017 06:33 PM, Neil Herber (nospam) wrote:
> Thanks for the tutorial, Chris.
>
> I am just trying to reduce the attack surface on my server which hosts
> both SurgeMail and Apache with several vhosts.
>
> I have put all of SM management behind a reverse proxy that gets forced
> to HTTPS and requires authentication.
>
> I have tried to force SurgeWeb to require SSL.
>
> I periodically scan logs looking for persistent attackers or targets and
> I then I add IP blocks to the firewall or add Apache alias rules that
> silently redirect "popular target URLs" to a "phpwpoison" page.
>
> So to answer your questions: 1)the log entries do bother me, but I will
> try to reduce my inspection of them, 2)the load is negligible at
> present, but they did saturate my connection when they managed to
> brute-force the password to WordPress management, 3)yes, it is security
> and I have tried to ensure that any of the login areas on the server
> require SSL.
>
> So I am probably pretty good, but I think I will still disable POP.
>
> Thanks
>
> Neil
>
>
> On 2017-01-25 4:57 PM, surgemail-support wrote:
>>
>> The question is what are you trying to fix exactly,
>>
>>     1) Is it just the log entries that bother you.
>>
>>     2) is it load caused by the probing
>>
>>     3) is it security.
>>
>> if it's '3', then you probably already have it fixed with requiring
>> ssl, but that doesn't really stop probing it just stops 'dumb'
>> probing, the settings below and on the referenced web page will help a
>> lot.
>>
>> If it's '1', then stop reading them :-)
>>
>> If it's '2', then it's probably not really causing significant load
>> (unless you have reason to believe otherwise...)
>>
>> Here are some settings I would use...
>>
>> # Block guessing if a user tries an obvious admin account
>> G_HACKER_POISON "root@*,administrator@*"
>>
>> # Only allow smtp logins if the user has previously logged in via
>> imap/pop from the same address
>> G_SAFE_SMTP "true"
>>
>> # Alert users when logins occur from unknown addresses that are not
>> from australia or usa...
>> G_SAFE_WARNING "true"
>> g_safe_country "us,au"
>>
>>
>> # if you really want to disable pop, which is valid enough if your
>> users are all imap based...
>> g_pop_port "disabled"
>>
>> You may find other info on this page useful:
>>
>>     http://netwinsite.com/surgemail/help/hackers.htm
>>
>> ChrisP.
>>
>>
>> On 26/01/2017 7:04 a.m., surgemail-list@netwinsite.com wrote:
>>>
>>> My server is getting hammered by POP login attempts.
>>>
>>> I want to force all my real clients to use SSL IMAP only. What
>>> settings do I need to:
>>>
>>> 1) force authenticated SSL logins for IMAP
>>>
>>> 2) completely ignore any POP logins (or force SSL if ignoring is a
>>> bad idea)
>>>
>>> 3) force authenticated SSL logins for SMTP
>>>
>>> Any other suggestions to get rid of these pests welcome.
>>>
>>> Note: I thought I had already set things up to force SSL, but I keep
>>> getting these failed log messages:
>>>
>>>> 25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
>>>
>>> Neil
>>>
>>>
>>> --
>>> Neil Herber
>>
>
> --
> Neil Herber
>

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net