Yet Another Smtp Limit

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
GrumpyGel
New user
New user
Posts: 7
Joined: 2020-06-06 05:32

Yet Another Smtp Limit

Post by GrumpyGel » 2020-12-23 04:02

I did someone a favour and said I'd host their email on my hMailServer.

I set the domain and accounts up that they requested, and being a rather naive email administrator, set them up with simple passwords asking them to log in immediately to set up decent secure ones.

Of course they didn't. So even though I'd set external IPs up as needing authentication, the result was that their accounts were hacked and all of a sudden my server was spewing out spam. grrr.

I went in and put strong passwords on all the accounts - but there's nothing to stop them putting simple ones back and I don't really know what else might compromise the system. So searched on here for something to try and stop this happening again - and found the SmtpLimit utility that someone put together. Perfect.

Well it would be if it wasn't reliant on reading through lots of file data for each message. When the spammers were hitting my server the server had trouble enough keeping up, adding this file overhead I'm sure would bring the server down - granted it would stop the spam issue, but it would also compromise other services. So I've looked at how SmtpLimit interacted with hMailServer and written a SmtpLimit that works in memory. I've called it Yet Another Smtp Limit - yasl. Its written in c# and is dependent on and runs under IIS with a VBScript client loaded by hMailServer - I wasn't sure if/how I could persist the data within the VBScript environment.

It runs on set Daily/Hourly limits that can be set per account and have time based overrides - eg if someone's going to do a mail shot. It does save hourly logs, so a process could be created to analyse these like SmtpLimit does and make appropriate Config settings. However, I only host a few accounts - so stopping spam is my priority, I don't mind a bit of admin every now and then to set the config. I've also added a configurable feature to disable the sending of email if the From address is not the same as the authorised login account. There's a couple of admin pages to show the config setup it has loaded and to view which accounts have sent email and how many emails they have sent - highlighted if they are near their limit (a warning email is sent like in SmtpLimit) or over it.

Its only just gone live on my server, hopefully it doesn't create more problems than it solves - although having been through the pain of being hacked, I do not think that is at all possible! It uses the .Net ReaderWriterLock for main thread syncronisation which I've not used before - I hope its implemented correctly and I don't get deadlocks.

If anyone wants to use it, or use bits for their own yayasl, it can be downloaded here - I offer no guarantees that it works...

hMailServer Events client component...
http://www.mydocz.com/yasl_Client.zip

IIS server component...
http://www.mydocz.com/yasl_Server.zip

Its not greatly documented. The main yasl.cs file has some docs embeded in it and there is a brief yasl_ReadMe.txt ...

Code: Select all

---------------------------------------------------
Basic Information on yasl - Yet Aanother Smtp Limit
---------------------------------------------------

This is a module to apply hourly and daily limits to the number of messages
hMailServer accounts can send.  This was created to stop hacked accounts being
used to send spam (or at least very much limit it).

yasl was created as other options performed lots of file handling to check each
message, and as spammers flood the server with messages, this could have caused
problems for other services running on the server.  yasl maintains an in memory
list of accounts that have sent messages and how many each has sent.

The 'yasl' class performs limiting logic/processing.  It is a 'singleton' class/
object written in c#.  Being a singleton, rather than static, object creation and
destruction is controlled to enable current data to be saved (on destruction) and
reloaded (on creation) so that its state is maintained.

Daily limits do not relate to a calendar day, they cover activity in the previous
24 hours.

The yasl class is front-ended by a yasl.aspx URL.  The vbscript code loaded by 
hMailServer extracts the required information from the Client and Message parameters
to the onAcceptMessage called by hMailServer and posts these to the yasl.aspx URL.

There is also a yasl_Admin.aspx URL that is viewed through a browser to show the
current state on the yasl singleton - ie config and accounts that have sent mail.
It can also be used to reload changed config files rather than destroying the object.

yasl can also be used to ensure that all email sent by and account is has a matching
from address.


yasl_Server.zip
---------------

The yasl_Server.zip file contains content that should be extracted to an IIS
application folder which will host it.

The yasl code has no security to ensure outsiders are not interfering with it.
I configure my IIS site that hosts it to only allow IP trusted addresses - ie
the mail server and administrative/testing clients and servers.

The yasl class is found in the yasl.cs file in the APP_CODE folder.


yasl_Client.zip
---------------

The yasl_Client.zip file should be extracted into the Events folder of the
hMailServer installation.  As well as the EventHandlers.vbs file used by
hMailServer, there is also a yasl_client_test.vbs script that can be used to test
connection to the server and the server itself.  Command line usage for this is
found in the file.


Configuration
-------------

The yasl class is configured using the yasl_Config.xml and yasl_Overrides.xml files.
These are documented in the yasl class in the APP_CODE\yasl.cs file.

The client should be configured in the EventHandlers.vbs file.  It is documented in
the file what can be set - eg admin email address for warning/error messages.
The following is a sample screen shot of the Admin Config screen...

Image

The following is a sample screen shot of the Admin account status screen...

Image

User avatar
jim.bus
Senior user
Senior user
Posts: 630
Joined: 2011-05-28 11:49
Location: US

Re: Yet Another Smtp Limit

Post by jim.bus » 2020-12-23 06:17

Perhaps a simpler way would be to do your Administration with hMailAdmin.

From your statement nothing prevents the User from changing their Passwords back to simple (weak) Passwords, I'm assuming you are doing your hMailServer Administration with the Browser based Admin utility which allows the user knowing the Log On Credentials the ability to change things such as their Passwords.

One solution would be to not to give them the Passwords in the first place and require them to let you set up their Email Clients with the Logon Credentials. This would be somewhat cumbersome especially if your Users also accessed their Email Accounts with the Browser.

The other possible solution would be to possibly use hMailAdmin instead of the Browser based Administration Utility. With hMailAdmin, you would be acting as the only Administrator and the Users would have no direct control to set the Passwords. You could then give them their Passwords so they could set up their own Email Clients with their Email Clients Logon Credentials and they would have no access to change their Passwords except by making a request to you to change their Passwords for them.

GrumpyGel
New user
New user
Posts: 7
Joined: 2020-06-06 05:32

Re: Yet Another Smtp Limit

Post by GrumpyGel » 2020-12-23 11:41

Thanks for thinking about it.

I don't want to know their passwords or tell them which ones to use.

They do have access to the hMailServer WebAdmin to change their passwords.

User avatar
RvdH
Senior user
Senior user
Posts: 1214
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Yet Another Smtp Limit

Post by RvdH » 2020-12-23 11:50

GrumpyGel wrote:
2020-12-23 11:41
Thanks for thinking about it.

I don't want to know their passwords or tell them which ones to use.

They do have access to the hMailServer WebAdmin to change their passwords.
I disallow access to WebAdmin , but i do allow access to roundcube (webmail) where they can change their password....benefit here you can specify some password requirements or a password_strenght_driver

Optional config options for roundcube (1.4.x) password plugin

Code: Select all

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 8;

// Require the new password to have at least the specified strength score.
// Note: Password strength is scored from 1 (weak) to 5 (strong).
$config['password_minimum_score'] = 2;
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2475
Joined: 2017-09-12 17:57

Re: Yet Another Smtp Limit

Post by palinka » 2020-12-23 13:40

I do password change by SMS. Each email user has a cell number associated with their account, so the sender's number is the authentication. There is also password validation for length and type of characters required. :D

palinka
Senior user
Senior user
Posts: 2475
Joined: 2017-09-12 17:57

Re: Yet Another Smtp Limit

Post by palinka » 2020-12-23 13:49

I like the hourly limit. I think I'll incorporate that into my limiter script.

GrumpyGel
New user
New user
Posts: 7
Joined: 2020-06-06 05:32

Re: Yet Another Smtp Limit

Post by GrumpyGel » 2020-12-23 14:58

palinka wrote:
2020-12-23 13:49
I like the hourly limit. I think I'll incorporate that into my limiter script.
I couldn't have put together what I have without seeing your script - many thanks :D

I had a huge number of messages go through the server before I knew anything was up! So felt I needed to control it in memory.

Another thing I do is count how many emails get rejected as over the limit. If someone goes over the limit, its unlikely they will keep trying to many times to resend - if its a hacker though, they'll just keep pumping spam through. So when I roll over an hour I disregard rejections up to the 'human' level (Retain_Ignore) but count a percentage above this (Retain_Include) as if they are messages that have been sent - this is likely to then immediately push it straight back over the limit and the spammer won't get another hour's worth of spam messages.

GrumpyGel
New user
New user
Posts: 7
Joined: 2020-06-06 05:32

Re: Yet Another Smtp Limit

Post by GrumpyGel » 2020-12-23 15:10

RvdH wrote:
2020-12-23 11:50
GrumpyGel wrote:
2020-12-23 11:41
Thanks for thinking about it.

I don't want to know their passwords or tell them which ones to use.

They do have access to the hMailServer WebAdmin to change their passwords.
I disallow access to WebAdmin , but i do allow access to roundcube (webmail) where they can change their password....benefit here you can specify some password requirements or a password_strenght_driver

Optional config options for roundcube (1.4.x) password plugin

Code: Select all

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 8;

// Require the new password to have at least the specified strength score.
// Note: Password strength is scored from 1 (weak) to 5 (strong).
$config['password_minimum_score'] = 2;
Thanks for the info.

I've not looked into web mail for the hMailServer setup, I'll look into this though as it enforces password integrity.

Hopefully I won't be hacked again, but this limiter can only reduce the chance of a hack succeeding - so I'll leave it running!

User avatar
mattg
Moderator
Moderator
Posts: 21268
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Yet Another Smtp Limit

Post by mattg » 2020-12-24 08:22

GrumpyGel wrote:
2020-12-23 04:02
I went in and put strong passwords on all the accounts - but there's nothing to stop them putting simple ones back...
#1 change your admin password ASAP

#2 they can log onto the web app to manage their own passwords with their own email address and password - they DON'T NEED TO USE ADMINISTRATOR to log onto the web admin tools
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2475
Joined: 2017-09-12 17:57

Re: Yet Another Smtp Limit

Post by palinka » 2020-12-24 16:12

GrumpyGel wrote:
2020-12-23 14:58
Another thing I do is count how many emails get rejected as over the limit. If someone goes over the limit, its unlikely they will keep trying to many times to resend - if its a hacker though, they'll just keep pumping spam through. So when I roll over an hour I disregard rejections up to the 'human' level (Retain_Ignore) but count a percentage above this (Retain_Include) as if they are messages that have been sent - this is likely to then immediately push it straight back over the limit and the spammer won't get another hour's worth of spam messages.
I like the concept. Stuff like that is good for informational purposes. I log everything.

Knowledge is power. :D

Post Reply