[Mdaemon-L] Batasan Login Pada Web-mail

Fri, 25 Jul 2025 15:40:35 -0700 

On 25/07/25 17.24, Asep Yuliyana via Mdaemon-L wrote:

Kami saat ini sedang melakukan penetration testing untuk mail server
(termasuk web-mail didalamnya).
saat ini kami menggunakan MDaemon versi 25.0.1



Kenapa tidak pakai v25.0.3 (versi terakhir)?

https://mdaemon.com/pages/downloads-critical-updates

Summary

A vulnerability for cross-site scripting (XSS) was reported and has been 
addressed. Reference CVE-2025-3929 for additional information.


Affected Software

All supported versions of MDaemon Email Server, 20.0.0 through 25.0.1. 
We recommend that administrators download and install the applicable 
version found below to address the issue.



Ada beberapa yang menjadi temuan, dan dalam milis ini akan saya pisahkan
case by case untuk meminta masukan dan advice dari Bapak

Dalam case ini yang ingin saya tanyakan ialah mengenai batasan login dalam
webmail
Apakah ada konfigurasi untuk melakukan pembatasan login di web-mail Pak?



Ya ada.

Akses webmail per akun hanya bisa dilakukan 1 session saja, artinya pada 
saat yang sama hanya bisa 1 login saja untuk akun yang sama.

Jumlah session Webmail dibatasi di menu berikut

https://mdaemon.dutaint.com/mdaemon/25.0.0/wc--web_server.html

Maximum number of concurrent sessions


This is the maximum number of sessions that may be connected to Webmail 
at the same time.



Web-mail di sisi kami tidak ada batasan user untuk login (baik sukses login
maupun gagal login), sehingga terdapat celah yang bisa dimanfaatkan untuk
melakukan brute force login untuk mencari password.



Tidak semudah itu.

Webmail bawaan instalasinya diproteksi dengan Geo Location Screening dan 
Dynamic Screening.



https://mdaemon.dutaint.com/mdaemon/25.0.0/screening_location-screening.html

Location Screening


Location Screening is a geographically based blocking system that you 
can use to block incoming  SMTP, POP, IMAP, Webmail, ActiveSync, 
AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and 
Minger connections from unauthorized regions of the world. MDaemon 
determines the country associated with the connecting IP address and 
then blocks that connection if it is from a restricted location, and 
adds a line to the Screening log. For SMTP, Location Screening can 
optionally block only connections using AUTH. This is useful, for 
example, if you have no users in a specific country but still wish to be 
able to receive mail from there. That way you would only block those 
attempting to log in to your server.


https://mdaemon.dutaint.com/mdaemon/25.0.0/dynamic-screening_options.html

Enable Authentication Failure Tracking


When this option is enabled, the Dynamic Screening service will track 
authentication failures for the protocols designated on the Protocols 
tab and perform actions determined by the options on the Auth Failure 
Tracking tab. This option is enabled by default.


Enable Dynamic Screening Block List


This option turns on the Dynamic Screening service's ability to block IP 
addresses and ranges. You can manage the block list from the Dynamic 
Block List tab. The block list option is on by default.


Block Logon Policy Violations


By default MDaemon requires accounts to use their full email address 
when logging in instead of just the mailbox portion of their address 
(e.g. they must use "[email protected]" instead of just "user1"). This 
is controlled by the "Servers require full email address for 
authentication" option on the Systems page. When that option is on, you 
can also turn on this Block Logon Policy Violations option if you wish 
to block any IP address that attempts to logon without using the full 
email address. This option is off by default.




Blocking nya dynamic screening ada penalti, jika dilakukan berulang kali 
dari visitor IP (range) yang sama.



https://mdaemon.dutaint.com/mdaemon/25.0.0/dynamic-screening_auth-failure-tracking.html

Multiple Offense Penalties


This is the amount of time that an IP address or IP address range will 
be blocked by the Dynamic Screening system when it fails the specified 
number of authentication attempts. By default the amount of time that 
the IP address is blocked increases with each subsequent offense. That 
is, by default if an IP address violates the authentication failure 
limit, it will be blocked for one day. Then if that same IP address 
subsequently violates the limit again, the Second offense penalty will 
be added to the Default expiration timeout, then the Third offense 
penalty will be added to the default timeout, and so on. The length of 
penalty maxes out with adding the Fourth offense penalty.




--
syafril
-------
Syafril Hermansyah

MDaemon-L Moderator, run MDaemon 25.5.0 Beta C
Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon.

It is never too late - in fiction or in life - to revise.
        -- Nancy Thayer


--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke [email protected]
Henti Langgan: Kirim mail ke [email protected]
Versi terakhir: MDaemon 25.0.3, SecurityGateway 11.0.1

























					Kirim email ke