tjaeger-hszigr1 Absent Member.
Absent Member.
515 views

GWIA - Disallow authentication by e-mail address

Hi Community,

we had some trouble in the past because of intruder lockout. At any time dozens of users were blocked. Research in the logfiles showed that passwords were given to any valid e-mail adresses. The attacks took place with a time delay and under the use of different ip addresses.

After three failed attempts, the accounts are blocked. The lock caused by these attacks is especially annoying, since most of the blocked users do not use imap at all.

Is it possible to disable authentication in the gwia via the email address? We had not one lock because of authentication tries by user name and wrong password.

In WebAccess it is possible to set that the authentication can be done only with the user name. is there something to set for the gwia?



Regards,
Thomas
Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: GWIA - Disallow authentication by e-mail address

On 01.04.2019 11:14, tjaeger-hszigr wrote:
>
> Hi Community,
>
> we had some trouble in the past because of intruder lockout. At any time
> dozens of users were blocked. Research in the logfiles showed that
> passwords were given to any valid e-mail adresses. The attacks took
> place with a time delay and under the use of different ip addresses.
>
> After three failed attempts, the accounts are blocked. The lock caused
> by these attacks is especially annoying, since most of the blocked users
> do not use imap at all.
>
> Is it possible to disable authentication in the gwia via the email
> address? We had not one lock because of authentication tries by user
> name and wrong password.
>
> In WebAccess it is possible to set that the authentication can be done
> only with the user name. is there something to set for the gwia?
>


Unfortunately, there is absolutely no way. All I can suggest is vote for
this idea:

https://ideas.microfocus.com/MFI/mf-gw/Idea/Detail/1126

Please don't get fooled by the diallowauthrelay option mentioned in the
comments. That stops authentication attempts from being succesful for
relaying, but it does *NOT* change a thing about the intruder lockouts,
and attackers are still able to identify a correct password and then use
it for IMAP or webaccess.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA - Disallow authentication by e-mail address

tjaeger-hszigr wrote:

>
> Hi Community,
>
> we had some trouble in the past because of intruder lockout. At any
> time dozens of users were blocked. Research in the logfiles showed
> that passwords were given to any valid e-mail adresses. The attacks
> took place with a time delay and under the use of different ip
> addresses.
>
> After three failed attempts, the accounts are blocked. The lock caused
> by these attacks is especially annoying, since most of the blocked
> users do not use imap at all.
>
> Is it possible to disable authentication in the gwia via the email
> address? We had not one lock because of authentication tries by user
> name and wrong password.
>


Hi Thomas,

As Massimo already pointed out, GWIA does not provide that ability.
There is a workaround but I don't know if it will work for you.

The solution is to use two GWIAs!

Disable all authentication on your primary GWIA, prevent relaying, and
only accept email sent to your internal users.

Setup a second GWIA that requires authentication for your IMAP users.
Configure unique ports for SMTP and IMAP. Use obscure 5-digit ports
that you provide to your IMAP users.

Intruders typically try to gain access via the standard ports. Using
nonstandard ports will not stop them but first they will have to find
which of the 65,000 possible ports you are using. The chances are very
good that will not happen. If it does, all you have to do is select a
different port and have your users update their settings.


--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA - Disallow authentication by e-mail address

Kevin Boyle wrote:

> The solution is to use two GWIAs!


This solution has an additional benefit.

I have my GWIA check blacklists and I am unable to send email to my own
server as almost all the IP addresses assigned to my mobile devices by
my wireless service provider or when using public Wi-Fi are blacklisted.

You can dispense with the blacklist check on the second GWIA because it
is only used by your own (trusted?) users!

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA - Disallow authentication by e-mail address

On 08.04.2019 18:18, Kevin Boyle wrote:
> tjaeger-hszigr wrote:
>
>>
>> Hi Community,
>>
>> we had some trouble in the past because of intruder lockout. At any
>> time dozens of users were blocked. Research in the logfiles showed
>> that passwords were given to any valid e-mail adresses. The attacks
>> took place with a time delay and under the use of different ip
>> addresses.
>>
>> After three failed attempts, the accounts are blocked. The lock caused
>> by these attacks is especially annoying, since most of the blocked
>> users do not use imap at all.
>>
>> Is it possible to disable authentication in the gwia via the email
>> address? We had not one lock because of authentication tries by user
>> name and wrong password.
>>

>
> Hi Thomas,
>
> As Massimo already pointed out, GWIA does not provide that ability.
> There is a workaround but I don't know if it will work for you.
>
> The solution is to use two GWIAs!
>
> Disable all authentication on your primary GWIA, prevent relaying, and
> only accept email sent to your internal users.


But you can't. That's the whole story. You can not really disable
authentication. His problem isn't the authentication itself, but the
intruder lockout it causes.

The only way to stop it is to use a firewall and stop GWIA from being
able to talk to the POA.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.