Aside from general work to improve the security posture of the public interface, my latest focus is standing up an email service for new registrations.
The working assumptions include that
- an individual will be enrolled via keycloak or a similar identity management package;
- on enrollment, several service will become immediately available to the user, including email;
- email will be accessed through a web interface; and,
- it would be pretty silly if we’re using an identity management platform if our web interface for email had yet another login interface, right?
I anticipate that we’ll be starting with an Ubuntu server 18.04 operating system running Postfix for SMTP and Dovecot for IMAP, where Dovecot provides the authentication functions for both SMTP & IMAP. For the web interface, I’m taking an initial stab with RoundCube, which itself rides on a LAMP stack.
There’s some additional discussion of the work in the article “Integrator Challenges, Email Edition” (link), but in summary:
- The operational test email stack that I had readily available is riding on Ubuntu 16.04, whose repository supports a Dovecot version that does not yet provide OpenID-Connect support.
- RoundCube has a plugin for handling OpenID-Connect, but it appears to add a bit too much complexity for what we’re after. Instead, I’m taking a look through the RoundCube source code (PHP) and examining how they handle Kerberos, which provides somewhat equivalent challenges.
All in all, it’s clear enough to see that it’s possible, but not too clear to see how long it’ll take to work through in my spare time.
Still, it looks promising and RoundCube does indeed look like a nicely designed project.
WordPress Attack Aftermath?
Well, there’s no aftermath, thank goodness.
- I continue to block known foreign IP addresses during development as the log shows no sign of constant blind attacks relenting.
- Killing DigitalOcean access has made the logs so much quieter. That’s a shame. Since their CIDR blocks are scattered all over the place, I occasionally do spot another one sneaking through like roaches. Each new offender results in nuking the whole block.
- I’ve added two constraints on accessing the wp-login.php endpoint: (a) No POSTs, and (b) no GETs without referrals. Obviously the no POST rule is sufficient to quash a password guest, but that may be opened up again later. The second rule helps blunt scanners and helps help thwart some of the password guessers.
And now, since we’re mostly dealing with U.S. visitors, Happy Labor Day!