back to notes

Geo-blocking an Email Server

beebee Ars Praefectus 29 minutes ago tetrapyloctomy wrote:

Two-factor authentication is great. I'd also like to be able to restrict access to some of my accounts based on location. HEY, GUYS, I AM NOT TRYING, AND NEVER WILL TRY, TO LOG IN FROM BELARUS.

I run my own email server and do exactly what you stated. You can create a geographical block using data from ip2location.com. The data is free.

Before I had my own email server, I was hacked via an exploit in Roundcube. The hacker was from Morocco. I didn't need Roundcube (email access via browser), but the hosting company set up both Roundcube and Squirrel mail as a "service." I've never been to Morocco, so I don't need to access my email from that country.

When I set up my own email server, I did not provide web access. The quality of the code from Roundcube and Squirrel mail is not at the same level of Postfix and Dovecot. I have no browser based means to maintain my email server. Those control panels are just another thing to hack. Keep the attack surface small. I maintain the server via ssh and run sshguard to protect that service.

To be clear here, provided you understand email ports, I provide blocking on all email ports other than 25. (I use 587.) In plain English, this means I can still receive email from foreign countries. I just can't send or download my email from those countries.

I have scripts to analyze the email logs to detect hacking. When I get the IP of the hacker, I determine if I would ever need to send or retrieve email from the IP space associated with the hacker IP address. For instance, I have had many attacks from .edu accounts. As the hacks occur, I block those institutions.

I block all the major hosting companies. Rackspace for example. Also cloud providers like AWS. I have that database for my webserver, but also apply it to my email access. Recently a tech blogger was hacked via Logicweb IP space. Yep, I've had attacks on the web server from Logicweb, so their ip space is blocked. The IP space of a hosting company can be found using bgp.he.net.

There should be a cottage business to provide email in the manner of my server to VIPs. I can't understand how people who earn seven figures have Yahoo or Gmail accounts.

Source: Comments



last updated september 2017