POP and IMAP attacks
#161 Henry, Wednesday, 11 July 2012 1:09 PM (Category: Network)
(Tags: pop imap linode)

I've been busy with racing and concerts last week, so I haven't been checking on my Linode much. I am not super worried about the security of it, because I've done the best I can so far, and I keep it up to date with all the security patches, but I get paranoid about things. When I had some time, I checked my logs and I see regular attacks against POP, and occasionally some attacks against IMAP. When I see these, I grab the IP addresses and blacklist them in my firewall. But I really would like to blacklist them while they are happening, not days or hours after the event. The obvious tool to use is fail2ban. This is what Linode recommend. It's available as a package for Slackware, and I have installed it and started looking at it.

Fail2ban will primarily halt brute-force attacks on ssh, which I don't worry too much about. I use authorised keys only, and don't use the standard port. But fail2ban can be adapted to look for other attacks using regular expressions. I could set it up to look for attacks on IMAP, because imapd reports failures in /var/log/messages like this:

Jul  5 07:53:34 moshie imapd[10127]: Login failed user=access auth=access
host=97-89-193-190.static.slid.la.charter.com []

You get enough details in that one log to be able to recognise an attack and extract the needed elements with a regular expression. There's the "imapd" identifier, "Login failed", and the IP address "". I can set that one up pretty easily.

But popa3d is a different beast. The logs appear in two different files. A login attempt appears in /var/log/secure like this:

Jul 11 04:48:19 moshie popa3d[4526]: connect from (

and the notice of a failure appears in /var/log/messages like this:

Jul 11 04:48:19 moshie popa3d[4521]: Authentication failed for UNKNOWN USER

There is no one single log that contains the failure notice plus the IP address. I would have to look for failures in /var/log/messages and then correlate by time in /var/log/secure. I can't do that with fail2ban.

My first thought was to see if I could change the logging for popa3d so both logs appeared in the same file. Have you ever attempted to fool around with syslog? It's an abomination. I've worked with it before. You can do a lot with it, with difficulty, but you're much better off avoiding it and looking for any other solution not involving syslog.conf. Besides, the best I could manage would be to get both logs in the one file, and that still wouldn't let me get fail2ban to recognise an attempt.

Then I looked at popa3d. It's a pretty limited little application. You can run it with -V and it will print the version details and stop. You can let it run on demand using inetd, and this is how Slackware runs it by default. So there's an entry in /etc/inetd.conf for it. You could save the inetd overhead if you're doing a lot of POP, and take it out of inetd and run it as a daemon. You need an entry in /etc/rc.d/rc.local to start it up, and then you run it with the -D switch. Those are the only two command line switches: -V and -D.

I looked at the code to see if I could augment the failure message by adding the IP address. I tracked that specific syslog down to pop_auth.c and found the right lines of code. Easy to change if I had the IP address, but I don't have the IP address there. It would take a lot of effort to find the IP address at the connection point and then pass it down to that function. And once I've done that, any security updates to popa3d that come down the pipe would mean my changes disappear and I would have to do it all over again. That's a possible solution but not a good one.

I thought about bypassing it entirely. Do I need POP? I know that I use IMAP with fetchmail, Richard uses IMAP with fetchmail (in a different and clever way), Squirrelmail uses IMAP, everything uses IMAP. No, not everything. Anne is set up so Thunderbird pulls the mail down using POP. So I thought about changing Thunderbird's access from POP to IMAP, and then I could turn off POP. I could not find an easy way to change an account in Thunderbird from POP to IMAP. I did a Google search and found information on the Mozilla site. You cannot convert a POP account to an IMAP account. You have to set up the IMAP account, then manually copy all the old data to it, and then delete the POP account. Ugh. I set up an IMAP account and then ran into a problem. I do not want the emails to stay on my mailserver. I want them brought down and stored on Anne's system and then deleted from the mailserver. That's what POP does. I know you can do the same thing with IMAP, as that's what I do with fetchmail. But how to tell Thunderbird to do that? I give up. So many options, so many terms, and I can't make it out. I gave up and looked elsewhere.

Richard suggested trying a different POP server, and pointed me to Dovecot. I downloaded it and looked at it and read the instructions. Very nice. I'm going to set this up on my home server and try it out. If it works out, I will install it on my Linode and turn off imapd and popa3d, then configure fail2ban to work with the new logs.

I will go ahead with more tests with Dovecot, but I keep thinking I am doing too much work and I should be doing the obvious. I should learn more about Thunderbird and how to get its IMAP usage to do what I want - pull the mail down and then delete it from the server.

There is another solution and that is to learn about certificates. I have to do this anyway to set up more secure sendmail relaying, and it appears I can do POP and IMAP with certificates. That would stop the attacks right at the front line. Yes, I believe that certificates are in my very near future and will solve many of my issues.

But first, I will try and change Thunderbird's behaviour. Then look at Dovecot and fail2ban. And then get on with certificates.