public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
@ 2020-11-17 14:57 Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
                   ` (6 more replies)
  0 siblings, 7 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

adds an option/api call to request an quarantine link for an
email whose domain is in the relay domains

for now, we do not expose that option to the ui, but this can easily be
added if wanted

NOTES on security:

this adds a world reachable api call, that can potentially send e-mails
to users that belong to a relay domain

this is ok, since anybody can already send e-mails to the users
via normal smtp, and since the content of the e-mail cannot be
controlled, the only thing a potential attacker can do is a dos attack
(which can always be done via resource exhaustion, e.g. send a lot of mail)

we could add more checks to make it more secure, but not so convenient:
* add an option for a admin-settable shared secret that users must enter
  (makes it harder for the user to self-service, since the user has to
  know the secret)
* only allow it from 'trusted networks' (this makes probably no sense)
* add an option to allow it from a specific subnet (similar to above,
  but seperate from mail flow, which could make sense, but is also
  not as convenient)

for now all text is hardcoded, templates could be used later on
(if users want that)

also i am open for alternate wordings for all texts, i basically chose
what came to mind first...

changes from v1:
* move config to 'spamquar' section
* show button also on admin interface

pmg-api:

Dominik Csapak (3):
  refactor domain_regex to Utils
  add 'quarantinelink' to spamquar config
  api2/quarantine: add global sendlink api call

 src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
 src/PMG/CLI/pmgqm.pm        | 29 +------------
 src/PMG/Config.pm           |  6 +++
 src/PMG/HTTPServer.pm       |  1 +
 src/PMG/Service/pmgproxy.pm |  4 ++
 src/PMG/Utils.pm            | 26 +++++++++++
 6 files changed, 126 insertions(+), 27 deletions(-)

pmg-gui:

Dominik Csapak (1):
  add 'Request Quarantine Link' Button to LoginView

 js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
 pmg-index.html.tt |  3 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 15+ messages in thread

* [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
@ 2020-11-17 14:57 ` Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 2/3] add 'quarantinelink' to spamquar config Dominik Csapak
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

we will need this somewhere else later

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/PMG/CLI/pmgqm.pm | 29 ++---------------------------
 src/PMG/Utils.pm     | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/src/PMG/CLI/pmgqm.pm b/src/PMG/CLI/pmgqm.pm
index 937269f..39253db 100755
--- a/src/PMG/CLI/pmgqm.pm
+++ b/src/PMG/CLI/pmgqm.pm
@@ -33,31 +33,6 @@ sub setup_environment {
     PMG::RESTEnvironment->setup_default_cli_env();
 }
 
-sub domain_regex {
-    my ($domains) = @_;
-
-    my @ra;
-    foreach my $d (@$domains) {
-	# skip domains with non-DNS name characters
-	next if $d =~ m/[^A-Za-z0-9\-\.]/;
-	if ($d =~ m/^\.(.*)$/) {
-	    my $dom = $1;
-	    $dom =~ s/\./\\\./g;
-	    push @ra, $dom;
-	    push @ra, "\.\*\\.$dom";
-	} else {
-	    $d =~ s/\./\\\./g;
-	    push @ra, $d;
-	}
-    }
-
-    my $re = join ('|', @ra);
-
-    my $regex = qr/\@($re)$/i;
-
-    return $regex;
-}
-
 sub get_item_data {
     my ($data, $ref) = @_;
 
@@ -145,7 +120,7 @@ __PACKAGE__->register_method ({
 	my $dbh = PMG::DBTools::open_ruledb();
 
 	my $domains = PVE::INotify::read_file('domains');
-	my $domainregex = domain_regex([keys %$domains]);
+	my $domainregex = PMG::Utils::domain_regex([keys %$domains]);
 
 	my $sth = $dbh->prepare(
 	    "SELECT pmail, AVG(spamlevel) as spamlevel, count(*)  FROM CMailStore, CMSReceivers " .
@@ -278,7 +253,7 @@ __PACKAGE__->register_method ({
 	}
 
 	my $domains = PVE::INotify::read_file('domains');
-	my $domainregex = domain_regex([keys %$domains]);
+	my $domainregex = PMG::Utils::domain_regex([keys %$domains]);
 
 	my $template = "spamreport-${reportstyle}.tt";
 	my $found = 0;
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index d0654e1..a04d41b 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -1417,4 +1417,30 @@ sub reload_smtp_filter {
     return kill (10, $pid); # send SIGUSR1
 }
 
+sub domain_regex {
+    my ($domains) = @_;
+
+    my @ra;
+    foreach my $d (@$domains) {
+	# skip domains with non-DNS name characters
+	next if $d =~ m/[^A-Za-z0-9\-\.]/;
+	if ($d =~ m/^\.(.*)$/) {
+	    my $dom = $1;
+	    $dom =~ s/\./\\\./g;
+	    push @ra, $dom;
+	    push @ra, "\.\*\\.$dom";
+	} else {
+	    $d =~ s/\./\\\./g;
+	    push @ra, $d;
+	}
+    }
+
+    my $re = join ('|', @ra);
+
+    my $regex = qr/\@($re)$/i;
+
+    return $regex;
+}
+
+
 1;
-- 
2.20.1





^ permalink raw reply	[flat|nested] 15+ messages in thread

* [pmg-devel] [PATCH pmg-api v2 2/3] add 'quarantinelink' to spamquar config
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
@ 2020-11-17 14:57 ` Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 3/3] api2/quarantine: add global sendlink api call Dominik Csapak
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

to enable the 'Request Quarantine Link' button and api call

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/PMG/Config.pm           | 6 ++++++
 src/PMG/Service/pmgproxy.pm | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index cd69c9c..155990b 100755
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -289,6 +289,11 @@ sub properties {
 	    description => "Text for 'From' header in daily spam report mails.",
 	    type => 'string',
 	},
+	quarantinelink => {
+	    description => "Enables user self-service for Quarantine Links. Caution: this is accessible without authentication",
+	    type => 'boolean',
+	    default => 0,
+	},
     };
 }
 
@@ -303,6 +308,7 @@ sub options {
 	allowhrefs => { optional => 1 },
 	port => { optional => 1 },
 	protocol => { optional => 1 },
+	quarantinelink => { optional => 1 },
     };
 }
 
diff --git a/src/PMG/Service/pmgproxy.pm b/src/PMG/Service/pmgproxy.pm
index ea58b50..cec2754 100755
--- a/src/PMG/Service/pmgproxy.pm
+++ b/src/PMG/Service/pmgproxy.pm
@@ -21,6 +21,7 @@ use PVE::APIServer::Utils;
 
 use PMG::HTTPServer;
 use PMG::API2;
+use PMG::Config;
 
 use Template;
 
@@ -227,6 +228,8 @@ sub get_index {
 	$version = $1;
     };
 
+    my $cfg = PMG::Config->new();
+    my $quarantinelink = $cfg->get('spamquar', 'quarantinelink');
 
     $username = '' if !$username;
 
@@ -242,6 +245,7 @@ sub get_index {
 	debug => $args->{debug} || $server->{debug},
 	version => $version,
 	wtversion => $wtversion,
+	quarantinelink => $quarantinelink,
     };
 
     my $template_name;
-- 
2.20.1





^ permalink raw reply	[flat|nested] 15+ messages in thread

* [pmg-devel] [PATCH pmg-api v2 3/3] api2/quarantine: add global sendlink api call
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 2/3] add 'quarantinelink' to spamquar config Dominik Csapak
@ 2020-11-17 14:57 ` Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-gui v2 1/1] add 'Request Quarantine Link' Button to LoginView Dominik Csapak
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

this api call takes an email, checks it against the relay domains,
and prepares a custom quarantinelink for that email  and sends it there

this has to happen unauthenticated, since the idea is that the user
want to access the quarantine but has no current ticket (and no
old spam report with a ticket)

to prevent abuse, we let the api call take 3 seconds, even if
it would fail due to an invalid e-mail address, so that an
potential attacker cannot probe for e-mails/relay domains.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/PMG/API2/Quarantine.pm | 87 ++++++++++++++++++++++++++++++++++++++
 src/PMG/HTTPServer.pm      |  1 +
 2 files changed, 88 insertions(+)

diff --git a/src/PMG/API2/Quarantine.pm b/src/PMG/API2/Quarantine.pm
index 73fb0ec..cfedc84 100644
--- a/src/PMG/API2/Quarantine.pm
+++ b/src/PMG/API2/Quarantine.pm
@@ -8,6 +8,9 @@ use Data::Dumper;
 use Encode;
 use File::Path;
 use IO::File;
+use MIME::Entity;
+use URI::Escape;
+use Time::HiRes qw(usleep gettimeofday tv_interval);
 
 use Mail::Header;
 use Mail::SpamAssassin;
@@ -195,6 +198,7 @@ __PACKAGE__->register_method ({
 	    { name => 'attachment' },
 	    { name => 'listattachments' },
 	    { name => 'download' },
+	    { name => 'sendlink' },
 	];
 
 	return $result;
@@ -1239,4 +1243,87 @@ __PACKAGE__->register_method ({
 	return undef;
     }});
 
+__PACKAGE__->register_method ({
+    name =>'sendlink',
+    path => 'sendlink',
+    method => 'POST',
+    description => "Send Quarantine link to given e-mail.",
+    permissions => { user => 'world' },
+    protected => 1,
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    mail => get_standard_option('pmg-email-address'),
+	},
+    },
+    returns => { type => "null" },
+    code => sub {
+	my ($param) = @_;
+
+	my $cfg = PMG::Config->new();
+
+	my $hostname = PVE::INotify::nodename();
+
+	my $is_enabled = $cfg->get('spamquar', 'quarantinelink');
+	if (!$is_enabled) {
+	    die "This feature is not enabled\n";
+	}
+
+	my $fqdn = $cfg->get('spamquar', 'hostname') //
+	    PVE::Tools::get_fqdn($hostname);
+
+	my $port = $cfg->get('spamquar', 'port') // 8006;
+
+	my $protocol = $cfg->get('spamquar', 'protocol') // 'https';
+
+	my $protocol_fqdn_port = "$protocol://$fqdn";
+	if (($protocol eq 'https' && $port != 443) ||
+	    ($protocol eq 'http' && $port != 80)) {
+	    $protocol_fqdn_port .= ":$port";
+	}
+
+	my $mailfrom = $cfg->get ('spamquar', 'mailfrom') //
+	    "Proxmox Mail Gateway <postmaster>";
+
+	my $domains = PVE::INotify::read_file('domains');
+	my $domainregex = PMG::Utils::domain_regex([keys %$domains]);
+
+	my $receiver = $param->{mail};
+
+	my $starttime = [gettimeofday];
+	my $delay = 0;
+
+	if ($receiver !~ $domainregex) {
+	    # make all calls to this take the same duration
+	    $delay = 3 - tv_interval($starttime);
+	    $delay = 0 if $delay < 0;
+	    sleep $delay;
+	    return undef; # silently ignore invalid mails
+	}
+
+	my $ticket = PMG::Ticket::assemble_quarantine_ticket($receiver);
+	my $esc_ticket = uri_escape($ticket);
+	my $link = "$protocol_fqdn_port/quarantine?ticket=${esc_ticket}";
+
+	my $text = "Here is your Link for the Spam Quarantine on $fqdn:\n\n$link\n";
+
+	my $top = MIME::Entity->build(
+	    Type    => "text/plain",
+	    To      => $receiver,
+	    From    => $mailfrom,
+	    Subject => "Proxmox Mail Gateway - Quarantine Link",
+	    Data    => $text,
+	);
+
+	# we use an empty envelope sender (we dont want to receive NDRs)
+	PMG::Utils::reinject_mail ($top, '', [$receiver], undef, $fqdn);
+
+	# make all calls to this take the same duration
+	$delay = 3 - tv_interval($starttime);
+	$delay = 0 if $delay < 0;
+	sleep $delay;
+
+	return undef;
+    }});
+
 1;
diff --git a/src/PMG/HTTPServer.pm b/src/PMG/HTTPServer.pm
index eb48b5f..3dc9655 100755
--- a/src/PMG/HTTPServer.pm
+++ b/src/PMG/HTTPServer.pm
@@ -58,6 +58,7 @@ sub auth_handler {
 
     # explicitly allow some calls without auth
     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
+	($rel_uri eq '/quarantine/sendlink' && ($method eq 'GET' || $method eq 'POST')) ||
 	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
 	$require_auth = 0;
     }
-- 
2.20.1





^ permalink raw reply	[flat|nested] 15+ messages in thread

* [pmg-devel] [PATCH pmg-gui v2 1/1] add 'Request Quarantine Link' Button to LoginView
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
                   ` (2 preceding siblings ...)
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 3/3] api2/quarantine: add global sendlink api call Dominik Csapak
@ 2020-11-17 14:57 ` Dominik Csapak
  2020-11-17 15:29 ` [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Thomas Lamprecht
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

if the template has 'quarantinelink' enabled, we
show a button 'Request Quarantine Link' on the quarantine login ui

there a user can enter their e-mail and request a link to the quarantine

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
 pmg-index.html.tt |  3 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/js/LoginView.js b/js/LoginView.js
index 8e610aa..5b95234 100644
--- a/js/LoginView.js
+++ b/js/LoginView.js
@@ -10,6 +10,8 @@ Ext.define('PMG.LoginView', {
 
 	    let realmfield = me.lookup('realmfield');
 
+	    me.lookup('quarantineButton').setVisible(!!Proxmox.QuarantineLink);
+
 	    if (view.targetview !== 'quarantineview') {
 		return;
 	    }
@@ -65,6 +67,28 @@ Ext.define('PMG.LoginView', {
 	    }
 	},
 
+	openQuarantineLinkWindow: function() {
+	    let me = this;
+	    me.lookup('loginwindow').setVisible(false);
+	    Ext.create('Proxmox.window.Edit', {
+		title: gettext('Request Quarantine Link'),
+		url: '/quarantine/sendlink',
+		method: 'POST',
+		items: [
+		    {
+			xtype: 'proxmoxtextfield',
+			name: 'mail',
+			fieldLabel: gettext('Your E-Mail'),
+		    },
+		],
+		listeners: {
+		    destroy: function() {
+			me.lookup('loginwindow').show(true);
+		    },
+		},
+	    }).show();
+	},
+
 	control: {
 	    'field[name=lang]': {
 		change: function(f, value) {
@@ -76,6 +100,9 @@ Ext.define('PMG.LoginView', {
 		    window.location.reload();
 		},
 	    },
+	    'button[reference=quarantineButton]': {
+		click: 'openQuarantineLinkWindow',
+	    },
 	    'button[reference=loginButton]': {
 		click: 'submitForm',
 	    },
@@ -172,6 +199,10 @@ Ext.define('PMG.LoginView', {
                         },
 		    ],
 		    buttons: [
+			{
+			    text: gettext('Request Quarantine Link'),
+			    reference: 'quarantineButton',
+			},
 			{
 			    text: gettext('Login'),
 			    reference: 'loginButton',
diff --git a/pmg-index.html.tt b/pmg-index.html.tt
index 4faf0cf..4a29ba2 100644
--- a/pmg-index.html.tt
+++ b/pmg-index.html.tt
@@ -30,7 +30,8 @@
         Setup: { auth_cookie_name: 'PMGAuthCookie' },
         NodeName: '[% nodename %]',
         UserName: '[% username %]',
-        CSRFPreventionToken: '[% token %]'
+        CSRFPreventionToken: '[% token %]',
+        QuarantineLink: [% IF quarantinelink %] true [% ELSE %] false [% END %],
       };
     </script>
     <script type="text/javascript" src="/proxmoxlib.js?ver=[% wtversion %]"></script>
-- 
2.20.1





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
                   ` (3 preceding siblings ...)
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-gui v2 1/1] add 'Request Quarantine Link' Button to LoginView Dominik Csapak
@ 2020-11-17 15:29 ` Thomas Lamprecht
  2020-11-17 15:53   ` Dominik Csapak
  2020-11-17 16:00 ` Stoiko Ivanov
  2020-11-17 16:27 ` Dietmar Maurer
  6 siblings, 1 reply; 15+ messages in thread
From: Thomas Lamprecht @ 2020-11-17 15:29 UTC (permalink / raw)
  To: Dominik Csapak, pmg-devel

On 17.11.20 15:57, Dominik Csapak wrote:
> adds an option/api call to request an quarantine link for an
> email whose domain is in the relay domains
> 
> for now, we do not expose that option to the ui, but this can easily be
> added if wanted
> 
> NOTES on security:
> 
> this adds a world reachable api call, that can potentially send e-mails
> to users that belong to a relay domain
> 
> this is ok, since anybody can already send e-mails to the users
> via normal smtp, and since the content of the e-mail cannot be
> controlled, the only thing a potential attacker can do is a dos attack
> (which can always be done via resource exhaustion, e.g. send a lot of mail)

But, isn't the difference that here the server does it for me, no
greylisting or similar involved? Also possible lower payload required
vs. doing the SMTP myself.


> 
> we could add more checks to make it more secure, but not so convenient:

why not rate limit it to three per day or so? not convenience reducing,
we would need to safe the usage count somewhere though.

> * add an option for a admin-settable shared secret that users must enter
>   (makes it harder for the user to self-service, since the user has to
>   know the secret)
> * only allow it from 'trusted networks' (this makes probably no sense)
> * add an option to allow it from a specific subnet (similar to above,
>   but seperate from mail flow, which could make sense, but is also
>   not as convenient)
> 
> for now all text is hardcoded, templates could be used later on
> (if users want that)
> 
> also i am open for alternate wordings for all texts, i basically chose
> what came to mind first...
> 
> changes from v1:
> * move config to 'spamquar' section
> * show button also on admin interface
> 
> pmg-api:
> 
> Dominik Csapak (3):
>   refactor domain_regex to Utils
>   add 'quarantinelink' to spamquar config
>   api2/quarantine: add global sendlink api call
> 
>  src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
>  src/PMG/CLI/pmgqm.pm        | 29 +------------
>  src/PMG/Config.pm           |  6 +++
>  src/PMG/HTTPServer.pm       |  1 +
>  src/PMG/Service/pmgproxy.pm |  4 ++
>  src/PMG/Utils.pm            | 26 +++++++++++
>  6 files changed, 126 insertions(+), 27 deletions(-)
> 
> pmg-gui:
> 
> Dominik Csapak (1):
>   add 'Request Quarantine Link' Button to LoginView
> 
>  js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
>  pmg-index.html.tt |  3 ++-
>  2 files changed, 33 insertions(+), 1 deletion(-)
> 






^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 15:29 ` [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Thomas Lamprecht
@ 2020-11-17 15:53   ` Dominik Csapak
  2020-11-17 16:11     ` Thomas Lamprecht
  0 siblings, 1 reply; 15+ messages in thread
From: Dominik Csapak @ 2020-11-17 15:53 UTC (permalink / raw)
  To: Thomas Lamprecht, pmg-devel

On 11/17/20 4:29 PM, Thomas Lamprecht wrote:
> On 17.11.20 15:57, Dominik Csapak wrote:
>> adds an option/api call to request an quarantine link for an
>> email whose domain is in the relay domains
>>
>> for now, we do not expose that option to the ui, but this can easily be
>> added if wanted
>>
>> NOTES on security:
>>
>> this adds a world reachable api call, that can potentially send e-mails
>> to users that belong to a relay domain
>>
>> this is ok, since anybody can already send e-mails to the users
>> via normal smtp, and since the content of the e-mail cannot be
>> controlled, the only thing a potential attacker can do is a dos attack
>> (which can always be done via resource exhaustion, e.g. send a lot of mail)
> 
> But, isn't the difference that here the server does it for me, no
> greylisting or similar involved? Also possible lower payload required
> vs. doing the SMTP myself.

sure, but it is basically the same as a 'forgot password' link on any 
website

also i am not sure about the cost of an tls+http call vs plain smtp...
(i guess that this difference will not stop an attacker...)

in general you can always dos a system, given enough network bandwidth...

> 
> 
>>
>> we could add more checks to make it more secure, but not so convenient:
> 
> why not rate limit it to three per day or so? not convenience reducing,
> we would need to safe the usage count somewhere though.

i thought of this, but would take a little more time to develop ;)
if wanted, i can of course implement something like this, though
i am not sure where we would want to save that info, and how much
time i'd need

> 
>> * add an option for a admin-settable shared secret that users must enter
>>    (makes it harder for the user to self-service, since the user has to
>>    know the secret)
>> * only allow it from 'trusted networks' (this makes probably no sense)
>> * add an option to allow it from a specific subnet (similar to above,
>>    but seperate from mail flow, which could make sense, but is also
>>    not as convenient)
>>
>> for now all text is hardcoded, templates could be used later on
>> (if users want that)
>>
>> also i am open for alternate wordings for all texts, i basically chose
>> what came to mind first...
>>
>> changes from v1:
>> * move config to 'spamquar' section
>> * show button also on admin interface
>>
>> pmg-api:
>>
>> Dominik Csapak (3):
>>    refactor domain_regex to Utils
>>    add 'quarantinelink' to spamquar config
>>    api2/quarantine: add global sendlink api call
>>
>>   src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
>>   src/PMG/CLI/pmgqm.pm        | 29 +------------
>>   src/PMG/Config.pm           |  6 +++
>>   src/PMG/HTTPServer.pm       |  1 +
>>   src/PMG/Service/pmgproxy.pm |  4 ++
>>   src/PMG/Utils.pm            | 26 +++++++++++
>>   6 files changed, 126 insertions(+), 27 deletions(-)
>>
>> pmg-gui:
>>
>> Dominik Csapak (1):
>>    add 'Request Quarantine Link' Button to LoginView
>>
>>   js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
>>   pmg-index.html.tt |  3 ++-
>>   2 files changed, 33 insertions(+), 1 deletion(-)
>>
> 
> 





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
                   ` (4 preceding siblings ...)
  2020-11-17 15:29 ` [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Thomas Lamprecht
@ 2020-11-17 16:00 ` Stoiko Ivanov
  2020-11-17 16:27 ` Dietmar Maurer
  6 siblings, 0 replies; 15+ messages in thread
From: Stoiko Ivanov @ 2020-11-17 16:00 UTC (permalink / raw)
  To: Dominik Csapak; +Cc: pmg-devel

Thanks for the v2.
moving the option to spamquar should also render quite nicely in our docs!

quickly ran it again - and it works as expected
the series LGTM:
Reviewed-By: Stoiko Ivanov <s.ivanov@proxmox.com>
Tested-By: Stoiko Ivanov <s.ivanov@proxmox.com>


On Tue, 17 Nov 2020 15:57:39 +0100
Dominik Csapak <d.csapak@proxmox.com> wrote:

> adds an option/api call to request an quarantine link for an
> email whose domain is in the relay domains
> 
> for now, we do not expose that option to the ui, but this can easily be
> added if wanted
> 
> NOTES on security:
> 
> this adds a world reachable api call, that can potentially send e-mails
> to users that belong to a relay domain
> 
> this is ok, since anybody can already send e-mails to the users
> via normal smtp, and since the content of the e-mail cannot be
> controlled, the only thing a potential attacker can do is a dos attack
> (which can always be done via resource exhaustion, e.g. send a lot of mail)
> 
> we could add more checks to make it more secure, but not so convenient:
> * add an option for a admin-settable shared secret that users must enter
>   (makes it harder for the user to self-service, since the user has to
>   know the secret)
> * only allow it from 'trusted networks' (this makes probably no sense)
> * add an option to allow it from a specific subnet (similar to above,
>   but seperate from mail flow, which could make sense, but is also
>   not as convenient)
> 
> for now all text is hardcoded, templates could be used later on
> (if users want that)
> 
> also i am open for alternate wordings for all texts, i basically chose
> what came to mind first...
> 
> changes from v1:
> * move config to 'spamquar' section
> * show button also on admin interface
> 
> pmg-api:
> 
> Dominik Csapak (3):
>   refactor domain_regex to Utils
>   add 'quarantinelink' to spamquar config
>   api2/quarantine: add global sendlink api call
> 
>  src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
>  src/PMG/CLI/pmgqm.pm        | 29 +------------
>  src/PMG/Config.pm           |  6 +++
>  src/PMG/HTTPServer.pm       |  1 +
>  src/PMG/Service/pmgproxy.pm |  4 ++
>  src/PMG/Utils.pm            | 26 +++++++++++
>  6 files changed, 126 insertions(+), 27 deletions(-)
> 
> pmg-gui:
> 
> Dominik Csapak (1):
>   add 'Request Quarantine Link' Button to LoginView
> 
>  js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
>  pmg-index.html.tt |  3 ++-
>  2 files changed, 33 insertions(+), 1 deletion(-)
> 





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 15:53   ` Dominik Csapak
@ 2020-11-17 16:11     ` Thomas Lamprecht
  0 siblings, 0 replies; 15+ messages in thread
From: Thomas Lamprecht @ 2020-11-17 16:11 UTC (permalink / raw)
  To: Dominik Csapak, pmg-devel

On 17.11.20 16:53, Dominik Csapak wrote:
> On 11/17/20 4:29 PM, Thomas Lamprecht wrote:
>> On 17.11.20 15:57, Dominik Csapak wrote:
>>> adds an option/api call to request an quarantine link for an
>>> email whose domain is in the relay domains
>>>
>>> for now, we do not expose that option to the ui, but this can easily be
>>> added if wanted
>>>
>>> NOTES on security:
>>>
>>> this adds a world reachable api call, that can potentially send e-mails
>>> to users that belong to a relay domain
>>>
>>> this is ok, since anybody can already send e-mails to the users
>>> via normal smtp, and since the content of the e-mail cannot be
>>> controlled, the only thing a potential attacker can do is a dos attack
>>> (which can always be done via resource exhaustion, e.g. send a lot of mail)
>>
>> But, isn't the difference that here the server does it for me, no
>> greylisting or similar involved? Also possible lower payload required
>> vs. doing the SMTP myself.
> 
> sure, but it is basically the same as a 'forgot password' link on any website
> 

those often have captchas, though, at least if you retry a few times.

> also i am not sure about the cost of an tls+http call vs plain smtp...
> (i guess that this difference will not stop an attacker...)
> 
> in general you can always dos a system, given enough network bandwidth...

but misusing the PMG, a project to protect for mail spam, among other things,
to allow producing mail spam which gets relayed to the users behind a network
is something completely different - normally you cannot send anything to them
if they do not open a connection to you, at least for most state full firewall
setups.

Not saying this is outright bad, just that it cannot brushed off with "I can
produce network traffic otherwise" as the real target here can be something
where this may not be true without this feature.

>>
>>
>>>
>>> we could add more checks to make it more secure, but not so convenient:
>>
>> why not rate limit it to three per day or so? not convenience reducing,
>> we would need to safe the usage count somewhere though.
> 
> i thought of this, but would take a little more time to develop ;)
> if wanted, i can of course implement something like this, though
> i am not sure where we would want to save that info, and how much
> time i'd need

as long as this gets logged somewhere, even just HTTP access log (if relevant
params are in the URL itself) then an admin could setup fail2ban and we wouldn't
need to handle this ourself.





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
                   ` (5 preceding siblings ...)
  2020-11-17 16:00 ` Stoiko Ivanov
@ 2020-11-17 16:27 ` Dietmar Maurer
  2020-11-17 16:38   ` Dietmar Maurer
  6 siblings, 1 reply; 15+ messages in thread
From: Dietmar Maurer @ 2020-11-17 16:27 UTC (permalink / raw)
  To: Dominik Csapak, pmg-devel

IMHO this is too dangerous.

This needs at least some kind of captcha ...

> On 11/17/2020 3:57 PM Dominik Csapak <d.csapak@proxmox.com> wrote:
> 
>  
> adds an option/api call to request an quarantine link for an
> email whose domain is in the relay domains
> 
> for now, we do not expose that option to the ui, but this can easily be
> added if wanted
> 
> NOTES on security:
> 
> this adds a world reachable api call, that can potentially send e-mails
> to users that belong to a relay domain
> 
> this is ok, since anybody can already send e-mails to the users
> via normal smtp, and since the content of the e-mail cannot be
> controlled, the only thing a potential attacker can do is a dos attack
> (which can always be done via resource exhaustion, e.g. send a lot of mail)
> 
> we could add more checks to make it more secure, but not so convenient:
> * add an option for a admin-settable shared secret that users must enter
>   (makes it harder for the user to self-service, since the user has to
>   know the secret)
> * only allow it from 'trusted networks' (this makes probably no sense)
> * add an option to allow it from a specific subnet (similar to above,
>   but seperate from mail flow, which could make sense, but is also
>   not as convenient)
> 
> for now all text is hardcoded, templates could be used later on
> (if users want that)
> 
> also i am open for alternate wordings for all texts, i basically chose
> what came to mind first...
> 
> changes from v1:
> * move config to 'spamquar' section
> * show button also on admin interface
> 
> pmg-api:
> 
> Dominik Csapak (3):
>   refactor domain_regex to Utils
>   add 'quarantinelink' to spamquar config
>   api2/quarantine: add global sendlink api call
> 
>  src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
>  src/PMG/CLI/pmgqm.pm        | 29 +------------
>  src/PMG/Config.pm           |  6 +++
>  src/PMG/HTTPServer.pm       |  1 +
>  src/PMG/Service/pmgproxy.pm |  4 ++
>  src/PMG/Utils.pm            | 26 +++++++++++
>  6 files changed, 126 insertions(+), 27 deletions(-)
> 
> pmg-gui:
> 
> Dominik Csapak (1):
>   add 'Request Quarantine Link' Button to LoginView
> 
>  js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
>  pmg-index.html.tt |  3 ++-
>  2 files changed, 33 insertions(+), 1 deletion(-)
> 
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel




^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 16:27 ` Dietmar Maurer
@ 2020-11-17 16:38   ` Dietmar Maurer
  2020-11-18  7:44     ` Thomas Lamprecht
  0 siblings, 1 reply; 15+ messages in thread
From: Dietmar Maurer @ 2020-11-17 16:38 UTC (permalink / raw)
  To: Dominik Csapak, pmg-devel


> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> IMHO this is too dangerous.
> 
> This needs at least some kind of captcha ...

i.e. This would allow direct DOS attacks to the internal mail server.




^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-17 16:38   ` Dietmar Maurer
@ 2020-11-18  7:44     ` Thomas Lamprecht
  2020-11-18  7:56       ` Dominik Csapak
  0 siblings, 1 reply; 15+ messages in thread
From: Thomas Lamprecht @ 2020-11-18  7:44 UTC (permalink / raw)
  To: Dietmar Maurer, Dominik Csapak, pmg-devel

On 17.11.20 17:38, Dietmar Maurer wrote:
> 
>> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>>
>>  
>> IMHO this is too dangerous.
>>
>> This needs at least some kind of captcha ...
> 
> i.e. This would allow direct DOS attacks to the internal mail server.
> 

I found this captcha solution, relatively sophisticated but not a PITA for the
(human) user, Friendly Captcha[0] used by some official European Union websites.

It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by
computation), the specific library used is "Friendly PoW"[1].

If we go for a captcha I'd like something like this (could be rebuild), as
it avoids the issues with picture texts (easily solved by computers, bad
accessibility for humans) and similar captchas.


[0]: https://github.com/friendlycaptcha/friendly-challenge
[1]: https://github.com/friendlycaptcha/friendly-pow
[2]: https://de.wikipedia.org/wiki/Proof_of_Work





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-18  7:44     ` Thomas Lamprecht
@ 2020-11-18  7:56       ` Dominik Csapak
  2020-11-18  8:01         ` Thomas Lamprecht
  0 siblings, 1 reply; 15+ messages in thread
From: Dominik Csapak @ 2020-11-18  7:56 UTC (permalink / raw)
  To: Thomas Lamprecht, Dietmar Maurer, pmg-devel

On 11/18/20 8:44 AM, Thomas Lamprecht wrote:
> On 17.11.20 17:38, Dietmar Maurer wrote:
>>
>>> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>>>
>>>   
>>> IMHO this is too dangerous.
>>>
>>> This needs at least some kind of captcha ...
>>
>> i.e. This would allow direct DOS attacks to the internal mail server.
>>
> 
> I found this captcha solution, relatively sophisticated but not a PITA for the
> (human) user, Friendly Captcha[0] used by some official European Union websites.
> 
> It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by
> computation), the specific library used is "Friendly PoW"[1].
> 
> If we go for a captcha I'd like something like this (could be rebuild), as
> it avoids the issues with picture texts (easily solved by computers, bad
> accessibility for humans) and similar captchas.
> 
> 
> [0]: https://github.com/friendlycaptcha/friendly-challenge
> [1]: https://github.com/friendlycaptcha/friendly-pow
> [2]: https://de.wikipedia.org/wiki/Proof_of_Work
> 

i'd rather go with a rate limited approach
e.g. a file with a
mail -> last click time
mapping
and refuse if the last click time is not older than 5min ?
and only 1 per 5 seconds overall?

a captcha would be much harder to implement (more dependencies,
backend as well as dependent frontend code and in this example
it seems the code is only available for js/ts), though
if we find a simple solution, i am not against it




^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-18  7:56       ` Dominik Csapak
@ 2020-11-18  8:01         ` Thomas Lamprecht
  2020-11-18  8:13           ` Dominik Csapak
  0 siblings, 1 reply; 15+ messages in thread
From: Thomas Lamprecht @ 2020-11-18  8:01 UTC (permalink / raw)
  To: Dominik Csapak, Dietmar Maurer, pmg-devel

On 18.11.20 08:56, Dominik Csapak wrote:
> On 11/18/20 8:44 AM, Thomas Lamprecht wrote:
>> On 17.11.20 17:38, Dietmar Maurer wrote:
>>>
>>>> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>>>>
>>>>   IMHO this is too dangerous.
>>>>
>>>> This needs at least some kind of captcha ...
>>>
>>> i.e. This would allow direct DOS attacks to the internal mail server.
>>>
>>
>> I found this captcha solution, relatively sophisticated but not a PITA for the
>> (human) user, Friendly Captcha[0] used by some official European Union websites.
>>
>> It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by
>> computation), the specific library used is "Friendly PoW"[1].
>>
>> If we go for a captcha I'd like something like this (could be rebuild), as
>> it avoids the issues with picture texts (easily solved by computers, bad
>> accessibility for humans) and similar captchas.
>>
>>
>> [0]: https://github.com/friendlycaptcha/friendly-challenge
>> [1]: https://github.com/friendlycaptcha/friendly-pow
>> [2]: https://de.wikipedia.org/wiki/Proof_of_Work
>>
> 
> i'd rather go with a rate limited approach
> e.g. a file with a
> mail -> last click time
> mapping
> and refuse if the last click time is not older than 5min ?
> and only 1 per 5 seconds overall?

or an hour or day? what do you need the mail such often??
The ticket doesn't even expires that fast..

> 
> a captcha would be much harder to implement (more dependencies,
> backend as well as dependent frontend code and in this example
> it seems the code is only available for js/ts), though
> if we find a simple solution, i am not against it
> 

but also more efficient, as the client actually needs to put in
work. JS is no problem, the backend would be nice in rust or
so - maybe in the future when someone gets around some day...





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
  2020-11-18  8:01         ` Thomas Lamprecht
@ 2020-11-18  8:13           ` Dominik Csapak
  0 siblings, 0 replies; 15+ messages in thread
From: Dominik Csapak @ 2020-11-18  8:13 UTC (permalink / raw)
  To: Thomas Lamprecht, Dietmar Maurer, pmg-devel

On 11/18/20 9:01 AM, Thomas Lamprecht wrote:
> On 18.11.20 08:56, Dominik Csapak wrote:
>> On 11/18/20 8:44 AM, Thomas Lamprecht wrote:
>>> On 17.11.20 17:38, Dietmar Maurer wrote:
>>>>
>>>>> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>>>>>
>>>>>    IMHO this is too dangerous.
>>>>>
>>>>> This needs at least some kind of captcha ...
>>>>
>>>> i.e. This would allow direct DOS attacks to the internal mail server.
>>>>
>>>
>>> I found this captcha solution, relatively sophisticated but not a PITA for the
>>> (human) user, Friendly Captcha[0] used by some official European Union websites.
>>>
>>> It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by
>>> computation), the specific library used is "Friendly PoW"[1].
>>>
>>> If we go for a captcha I'd like something like this (could be rebuild), as
>>> it avoids the issues with picture texts (easily solved by computers, bad
>>> accessibility for humans) and similar captchas.
>>>
>>>
>>> [0]: https://github.com/friendlycaptcha/friendly-challenge
>>> [1]: https://github.com/friendlycaptcha/friendly-pow
>>> [2]: https://de.wikipedia.org/wiki/Proof_of_Work
>>>
>>
>> i'd rather go with a rate limited approach
>> e.g. a file with a
>> mail -> last click time
>> mapping
>> and refuse if the last click time is not older than 5min ?
>> and only 1 per 5 seconds overall?
> 
> or an hour or day? what do you need the mail such often??
> The ticket doesn't even expires that fast..

sure, that was just an example (an hour would be ok)
it should not be that far apart that if a user
accidentally deletes the mail he cannot request
a new one in reasonable time frame

the overall timeout would have to be much shorter so that
legitimate users do not block each other, but long
enough to discourage an attacker.. (thus my 5 seconds,
it is short enough that the api call can block without
much hassle for the user, but long enough so that
an attacker can not dos the internal mail server)

> 
>>
>> a captcha would be much harder to implement (more dependencies,
>> backend as well as dependent frontend code and in this example
>> it seems the code is only available for js/ts), though
>> if we find a simple solution, i am not against it
>>
> 
> but also more efficient, as the client actually needs to put in
> work. JS is no problem, the backend would be nice in rust or
> so - maybe in the future when someone gets around some day...
> 

yes js is no problem, but the much bigger "problem" is that for a
captcha you generally have to save a state for each client
(else it would be easy to precalculate or reuse the work)
which is probably much bigger than my 'last click time'
approach from above




^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2020-11-18  8:13 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 2/3] add 'quarantinelink' to spamquar config Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 3/3] api2/quarantine: add global sendlink api call Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-gui v2 1/1] add 'Request Quarantine Link' Button to LoginView Dominik Csapak
2020-11-17 15:29 ` [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Thomas Lamprecht
2020-11-17 15:53   ` Dominik Csapak
2020-11-17 16:11     ` Thomas Lamprecht
2020-11-17 16:00 ` Stoiko Ivanov
2020-11-17 16:27 ` Dietmar Maurer
2020-11-17 16:38   ` Dietmar Maurer
2020-11-18  7:44     ` Thomas Lamprecht
2020-11-18  7:56       ` Dominik Csapak
2020-11-18  8:01         ` Thomas Lamprecht
2020-11-18  8:13           ` Dominik Csapak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal