this post was submitted on 06 Aug 2023
34 points (92.5% liked)

Selfhosted

39942 readers
613 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I run my own email server, and a friend received a compromised laptop from work which resulted in a spam attack from Russia yesterday. Turtle settings saved the days with thousands of emails still in the queue when I saw the problem, however it made me realize that everyone with accounts on my server are local, do not travel, and have no requirement to send emails from outside the country.

I found how to use the smtpd_discard_ehlo_keyword_address_maps setting in postfix to block a CIDR list of IPs, then found a maintained list of IPs by country codes on github. Cool so far, and a script to keep my local list updated was easy enough.

Now the question is, what countries should I be blocking? There are plenty of lists of the top hacking sources, but it's hard to block #2 (the US) when that's where I am located. But otherwise, does anyone have a list of countries they outright block from logging on to their servers? From the above google searches I have 17 countries blocked so far, and in the first 30 minutes already stopped login attempts from three of those countries, so it appears to be working.

Of course I could write a script to parse my logs to see who has already made attempts, but that's what services like fail2ban are for, and I'm just wondering if there are any countries in particular I should directly block? My list so far includes the following: ae bg br cn de hk id in ir iq il kp ng ru sa th vn

The question itself may not be that interesting, but I thought at the very least some folks might be interested in my experience and think about doing something similar themselves. I can post more details of what I did if there is any interest.

all 23 comments
sorted by: hot top controversial new old
[–] jozza 38 points 1 year ago (1 children)

The advice I've read (and implemented myself) is to not so much run a block list, but an allow list. So first things first, have a rule to block all connections, then have overriding rules to allow connections using criteria you would deem safe. If you know someone needs to access the server from the UK, include the UK on the allow list. Everything else can remain locked down until you have a reason to open it up to another country.

[–] [email protected] 1 points 1 year ago (1 children)

That's pretty much the way a firewall works, but I'm not sure it's quite so practical for email. When you get into something like cell phone access, the IPs can be all over the place. I've certainly seen enough attempts from addresses of my own cell provider. I've even seen fail2ban block IPs from my local city ISP, so it's really difficult just blacklist everything and not expect there to be nearly immediate problems for those of us who have legitimate access. This is one of the reasons I run multiple tools, between the standard blocklists to weed out spammers and public VPNs, to things like fail2ban providing more realtime protection. I look at the country blocklist as just another tool in the arsenal to try and find a balance between protecting my services but still allowing easy access where it is needed.

[–] [email protected] 2 points 1 year ago

They said country-based, not location-based. Your cellphone provider will probably only be using a handful of countries at most to relay traffic.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (1 children)

I would say white-list instead of black-list if possible.

Beside the point, have you considered the reasons why you might not want to run your own email server in todays age? It’s a fun experience for sure, but if you want it for serious use it’s not for the faint of heart (unfortunately).

Edit: also lol to your friend unknowingly conducting a spam campaign from your server

[–] [email protected] 5 points 1 year ago (2 children)

Fortunately I started this endeavor back before Microsoft even knew what a mail server was, so I've been at it awhile. Some changes have been reactionary to attacks, other changes have been simply keeping up with practices where I could. I do what I can though.

Yeah someone else mentioned whitelisting but with connections like your cell phone picking up IPs all over the place, while simultaneously being the source of other attacks, it's just not as feasible for this. Of course I do have blocklists against spam sources and such, plus a dedicated firewall in front of everything, but I somehow missed blocking the easy targets against compromised accounts.

As for my friend... yeah it wasn't even happening from his laptop, it was just the fact that he had logged in to his account and the virus recorded his password. After that first moment of rage (assuming he fell for a phishing attack), I scrambled his password, flushed all the emails from the queue, and then started cleaning things up. So far it looks like I was only temporarily blacklisted, and those cleared up about an hour after I shut down the spam. Now I'm just keeping a close eye on things to make sure nobody else comes through on that account.

[–] [email protected] 2 points 1 year ago (1 children)

Oof yeah. You’re well into admin territory here.

I mean I’m just some layman on the internet, but I would look at tying in some authentication layer to get your 2FA, although it would inconvenience your users users.

Do your users use this service for srs business?

I don’t know if I have anything else to add to this discussion. It’s gotten more complex than what “just an email server” can provide imo

[–] [email protected] 1 points 1 year ago (1 children)

No worries and thanks for the comments. I'll figure out something, I always do, I just thought it would be nice to see what route others have taken with their own servers. I'm really annoyed but it seems like more people are just turning their email over to big corporations. Hell the place I work turned their email over to Microsoft and we've had nothing but non-stop spam, phishing attacks, outages, and the constant push of "oh if you're not going to use a Microsoft product (on my linux machine) then we're won't even talk to you" in the years since then, and literally everybody in my department complains about it.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I'll figure out something, I always do, I just thought it would be nice to see what route others have taken with their own servers.

Yeah for sure. Sorry I don't have a good answer

turned their email over to Microsoft and we've had nothing but non-stop spam, phishing attacks, outages, and the constant push of "oh if you're not going to use a Microsoft product.

Just wanna share that my experience does not mirror this. I pay them $6/ user per month (which is just me, for me personally, to be fair), which gets me that hosted exchange server 365 thing. I only rarely, if ever, need to use the other office products, and I do so in my browser. In the 2ish years so far I've had no complaints. I don't require any of the features that are locked behind full-installation variants of their products - and besides that I've had no problem with spam email especially.

Im not sure I would recommend that you tell your friends to authenticate with your own Active directory instance necessarily, but ultimately at the end of the day if you're dealing with users you'll need some kind of authentication layer (imo)

[–] InverseParallax 2 points 1 year ago

Been hosting my email about as long, thinking about turning it in, or at least only making smtp exposed.

The address argument is a cop out, Wireguard works fine always on now, even in your home wlan if you're fine with hairpin nat. Ios and android handle it well.

I block China and Russia, tempted to add a few others but those are easy outs (haven't been to China in years, will figure it out if I am).

[–] Hyzerflip 14 points 1 year ago (2 children)

I block North Korea, Russia, Ukraine and China. Your mileage may vary depending on your resources required.

[–] AbidanYre 4 points 1 year ago

I add India to that list.

[–] [email protected] 3 points 1 year ago (1 children)

Ukraine? That's curious, is that because of the continued Russian occupation or was there another reason?

[–] Aux 3 points 1 year ago (2 children)

You can safely block the whole of xUSSR because of shared hacking mentality. Source: born and raised in xUSSR.

[–] [email protected] 1 points 1 year ago (1 children)

Oh wait, I just realized you were referring to all of the countries under Russian influence, not just Russia itself. If I can ask, which countries do you think that encompasses? As someone from the other side of the planet, I'm not really too familiar with the politics.

[–] Aux 2 points 1 year ago

Just Google USSR.

[–] [email protected] 0 points 1 year ago

They were the first one on my list! 😆

[–] SheeEttin 3 points 1 year ago (1 children)

no requirement to send emails from outside the country

So all of them? Have them VPN if they eventually need to.

Also, you're using MFA, right? Right?

[–] [email protected] 2 points 1 year ago

Funny thing, I was actually looking into this earlier tonight and couldn't find any info on how to implement MFA with postfix. I did find some discussions of limiting access to known IPs, but that requires manually tracking everyone's logins. I'll keep digging though, I'm sure I'll find something.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Not directly to your exact question, but do you have something like rspamd set up? I would consider doing some filtering with rspamd modules. It's a lot of learning to go through, but has some good defaults. It can filter outgoing mail as well as incoming.

[–] [email protected] 2 points 1 year ago

I've always used spamassassin, but this looks interesting so I'll do some reading on it tomorrow. Thanks!