GWIA - Disallow authentication by e-mail address

Hi Community,

we had some trouble in the past because of intruder lockout. At any time dozens of users were blocked. Research in the logfiles showed that passwords were given to any valid e-mail adresses. The attacks took place with a time delay and under the use of different ip addresses.

After three failed attempts, the accounts are blocked. The lock caused by these attacks is especially annoying, since most of the blocked users do not use imap at all.

Is it possible to disable authentication in the gwia via the email address? We had not one lock because of authentication tries by user name and wrong password.

In WebAccess it is possible to set that the authentication can be done only with the user name. is there something to set for the gwia?



Regards,
Thomas

Tags:

  • On 01.04.2019 11:14, tjaeger-hszigr wrote:
    >
    > Hi Community,
    >
    > we had some trouble in the past because of intruder lockout. At any time
    > dozens of users were blocked. Research in the logfiles showed that
    > passwords were given to any valid e-mail adresses. The attacks took
    > place with a time delay and under the use of different ip addresses.
    >
    > After three failed attempts, the accounts are blocked. The lock caused
    > by these attacks is especially annoying, since most of the blocked users
    > do not use imap at all.
    >
    > Is it possible to disable authentication in the gwia via the email
    > address? We had not one lock because of authentication tries by user
    > name and wrong password.
    >
    > In WebAccess it is possible to set that the authentication can be done
    > only with the user name. is there something to set for the gwia?
    >


    Unfortunately, there is absolutely no way. All I can suggest is vote for
    this idea:

    https://ideas.microfocus.com/MFI/mf-gw/Idea/Detail/1126

    Please don't get fooled by the diallowauthrelay option mentioned in the
    comments. That stops authentication attempts from being succesful for
    relaying, but it does *NOT* change a thing about the intruder lockouts,
    and attackers are still able to identify a correct password and then use
    it for IMAP or webaccess.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • tjaeger-hszigr wrote:

    >
    > Hi Community,
    >
    > we had some trouble in the past because of intruder lockout. At any
    > time dozens of users were blocked. Research in the logfiles showed
    > that passwords were given to any valid e-mail adresses. The attacks
    > took place with a time delay and under the use of different ip
    > addresses.
    >
    > After three failed attempts, the accounts are blocked. The lock caused
    > by these attacks is especially annoying, since most of the blocked
    > users do not use imap at all.
    >
    > Is it possible to disable authentication in the gwia via the email
    > address? We had not one lock because of authentication tries by user
    > name and wrong password.
    >


    Hi Thomas,

    As Massimo already pointed out, GWIA does not provide that ability.
    There is a workaround but I don't know if it will work for you.

    The solution is to use two GWIAs!

    Disable all authentication on your primary GWIA, prevent relaying, and
    only accept email sent to your internal users.

    Setup a second GWIA that requires authentication for your IMAP users.
    Configure unique ports for SMTP and IMAP. Use obscure 5-digit ports
    that you provide to your IMAP users.

    Intruders typically try to gain access via the standard ports. Using
    nonstandard ports will not stop them but first they will have to find
    which of the 65,000 possible ports you are using. The chances are very
    good that will not happen. If it does, all you have to do is select a
    different port and have your users update their settings.


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • Kevin Boyle wrote:

    > The solution is to use two GWIAs!


    This solution has an additional benefit.

    I have my GWIA check blacklists and I am unable to send email to my own
    server as almost all the IP addresses assigned to my mobile devices by
    my wireless service provider or when using public Wi-Fi are blacklisted.

    You can dispense with the blacklist check on the second GWIA because it
    is only used by your own (trusted?) users!

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • On 08.04.2019 18:18, Kevin Boyle wrote:
    > tjaeger-hszigr wrote:
    >
    >>
    >> Hi Community,
    >>
    >> we had some trouble in the past because of intruder lockout. At any
    >> time dozens of users were blocked. Research in the logfiles showed
    >> that passwords were given to any valid e-mail adresses. The attacks
    >> took place with a time delay and under the use of different ip
    >> addresses.
    >>
    >> After three failed attempts, the accounts are blocked. The lock caused
    >> by these attacks is especially annoying, since most of the blocked
    >> users do not use imap at all.
    >>
    >> Is it possible to disable authentication in the gwia via the email
    >> address? We had not one lock because of authentication tries by user
    >> name and wrong password.
    >>

    >
    > Hi Thomas,
    >
    > As Massimo already pointed out, GWIA does not provide that ability.
    > There is a workaround but I don't know if it will work for you.
    >
    > The solution is to use two GWIAs!
    >
    > Disable all authentication on your primary GWIA, prevent relaying, and
    > only accept email sent to your internal users.


    But you can't. That's the whole story. You can not really disable
    authentication. His problem isn't the authentication itself, but the
    intruder lockout it causes.

    The only way to stop it is to use a firewall and stop GWIA from being
    able to talk to the POA.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de