From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with UTF8SMTPS id 4AD7B60A93 for ; Wed, 18 Nov 2020 09:13:13 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with UTF8SMTP id 3CDAD1870F for ; Wed, 18 Nov 2020 09:13:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with UTF8SMTPS id 6E7BB18704 for ; Wed, 18 Nov 2020 09:13:12 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with UTF8SMTP id 25C7943938; Wed, 18 Nov 2020 09:13:12 +0100 (CET) To: Thomas Lamprecht , Dietmar Maurer , pmg-devel@lists.proxmox.com References: <20201117145743.10561-1-d.csapak@proxmox.com> <925752189.205.1605630434708@webmail.proxmox.com> <536187425.206.1605631117830@webmail.proxmox.com> <31d52e9d-fe70-acdb-b24c-3554df4c3b13@proxmox.com> <8f45432a-305c-31a6-954b-f45dd6effff3@proxmox.com> From: Dominik Csapak Message-ID: <821445cc-4578-d5f1-6818-26c509837c3e@proxmox.com> Date: Wed, 18 Nov 2020 09:13:11 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Thunderbird/83.0 MIME-Version: 1.0 In-Reply-To: <8f45432a-305c-31a6-954b-f45dd6effff3@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.343 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [wikipedia.org] Subject: Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2020 08:13:13 -0000 On 11/18/20 9:01 AM, Thomas Lamprecht wrote: > On 18.11.20 08:56, Dominik Csapak wrote: >> On 11/18/20 8:44 AM, Thomas Lamprecht wrote: >>> On 17.11.20 17:38, Dietmar Maurer wrote: >>>> >>>>> On 11/17/2020 5:27 PM Dietmar Maurer wrote: >>>>> >>>>>   IMHO this is too dangerous. >>>>> >>>>> This needs at least some kind of captcha ... >>>> >>>> i.e. This would allow direct DOS attacks to the internal mail server. >>>> >>> >>> I found this captcha solution, relatively sophisticated but not a PITA for the >>> (human) user, Friendly Captcha[0] used by some official European Union websites. >>> >>> It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by >>> computation), the specific library used is "Friendly PoW"[1]. >>> >>> If we go for a captcha I'd like something like this (could be rebuild), as >>> it avoids the issues with picture texts (easily solved by computers, bad >>> accessibility for humans) and similar captchas. >>> >>> >>> [0]: https://github.com/friendlycaptcha/friendly-challenge >>> [1]: https://github.com/friendlycaptcha/friendly-pow >>> [2]: https://de.wikipedia.org/wiki/Proof_of_Work >>> >> >> i'd rather go with a rate limited approach >> e.g. a file with a >> mail -> last click time >> mapping >> and refuse if the last click time is not older than 5min ? >> and only 1 per 5 seconds overall? > > or an hour or day? what do you need the mail such often?? > The ticket doesn't even expires that fast.. sure, that was just an example (an hour would be ok) it should not be that far apart that if a user accidentally deletes the mail he cannot request a new one in reasonable time frame the overall timeout would have to be much shorter so that legitimate users do not block each other, but long enough to discourage an attacker.. (thus my 5 seconds, it is short enough that the api call can block without much hassle for the user, but long enough so that an attacker can not dos the internal mail server) > >> >> a captcha would be much harder to implement (more dependencies, >> backend as well as dependent frontend code and in this example >> it seems the code is only available for js/ts), though >> if we find a simple solution, i am not against it >> > > but also more efficient, as the client actually needs to put in > work. JS is no problem, the backend would be nice in rust or > so - maybe in the future when someone gets around some day... > yes js is no problem, but the much bigger "problem" is that for a captcha you generally have to save a state for each client (else it would be easy to precalculate or reuse the work) which is probably much bigger than my 'last click time' approach from above