Have would-be hackers blocked LetsEncrypt?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:corp.networkingtechnology.org

I ran this command: certbot renew

It produced this output: Failed to renew certificate Some challenges failed.

My web server is (include version):Alma Linux 8.9 latest patch

The operating system my web server runs on is (include version):Alma Linux 8.9 latest patch

My hosting provider, if applicable, is:EDPNet

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.22.0

I've had a bot running now for 3 weeks trying to brute force guess passwords for my mail server and all my other servers. I've been blocking them on the firewall. I'm already on >400 and the damn thing is still running. A lot are from Amazon, Google and Digital Ocean.

I got a warning message my certificates were about to expire and when I attempted to renew I got the error. I'm sure that all my servers are accessible from outside, my mail server is hermes working fine, as are all the others because a+holes keep trying to access them with hundreds of 404 errors.

Suggestions please

You should unblock aws subnets. (And find a more complete log)

Are you saying AWS are allowed to scan and attempt to access mail and web servers as they like? Whats the point of certificates if you have no privacy?

Which error? The currently mentioned 'errors' are not really the errors conveying the relevant information. Please provide as much as the output as possible.

I don't fully understand. Certificates are meant for authentication of a hostname and encrypting the connection to said hostname. Nothing more, nothing less. It has nothing to do with privacy.

This error message should have been accompanied by significantly more log output, which would include messages describing exactly why/how the challenges failed. Without that information, we can't provide you very much help.

That said, given this one piece of information, I can say that it is very unlikely that the failure to renew your certificate is related to the attackers that you have been blocking. Causing validation to fail in this way requires a very different kind of attack than what you described.

@aarongable Blocking AWS entirely (as a "fix" for the "hacking" issue) would (currently) give trouble with the secondary vantage points though.

I'm not sure how much of this you need, but IMO this should be enough

024-05-04 18:01:09,692:DEBUG:certbot._internal.main:certbot version: 1.22.0 2024-05-04 18:01:09,695:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2024-05-04 18:01:09,695:DEBUG:certbot._internal.main:Arguments: [] 2024-05-04 18:01:09,696:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginE ntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-05-04 18:01:09,768:DEBUG:certbot._internal.log:Root logging level set at 30 2024-05-04 18:01:09,772:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/hermes.corp.networkingtechnology.org.conf 2024-05-04 18:01:09,807:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f8eb8a64048> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f8eb8a64048> 2024-05-04 18:01:09,844:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2024-05-04 18:01:10,200:DEBUG:urllib3.connectionpool: http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2024-05-04 18:01:10,203:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/hermes.corp.networkingtechnology.org/cert10.pe m is signed by the certificate's issuer. 2024-05-04 18:01:10,208:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/hermes.corp.networkingtechnology.org/cert10.pe m is: OCSPCertStatus.GOOD 2024-05-04 18:01:10,212:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2024-05-28 04:03:23 UTC. 2024-05-04 18:01:10,212:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing... 2024-05-04 18:01:10,213:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer None 2024-05-04 18:01:10,346:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.37 2024-05-04 18:01:10,743:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache Description: Apache Web Server plugin Interfaces: Installer, Authenticator, Plugin Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT Initialized: <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7f8ebabfe2e8> Prep: True 2024-05-04 18:01:10,746:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7f8ebabfe2e8> and installer None 2024-05-04 18:01:10,746:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer None 2024-05-04 18:01:10,761:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=' https://acme-v02.api.letsencrypt.org/acme/acct/715419687', new_authzr_uri=None, terms_of_service=None), efab88cc38585e0ea29fb54bb2f05688, Meta(creation_dt=datetime.datetime(2022, 9, 3, 17, 1, 58, tzinfo=<UTC>), creation_host='hermes.corp.networkingtechnology.org', register_to_eff=None))> 2024-05-04 18:01:10,764:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2024-05-04 18:01:10,766:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2024-05-04 18:01:11,191:DEBUG:urllib3.connectionpool: https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 747 2024-05-04 18:01:11,192:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 04 May 2024 16:01:11 GMT Content-Type: application/json Content-Length: 747 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "keyChange": ["https://acme-v02.api.letsencrypt.org/acme/key-change"](https://acme-v02.api.letsencrypt.org/acme/key-change), "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": " https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf", "website": ["https://letsencrypt.org"](https://letsencrypt.org) }, "newAccount": ["https://acme-v02.api.letsencrypt.org/acme/new-acct"](https://acme-v02.api.letsencrypt.org/acme/new-acct), "newNonce": ["https://acme-v02.api.letsencrypt.org/acme/new-nonce"](https://acme-v02.api.letsencrypt.org/acme/new-nonce), "newOrder": ["https://acme-v02.api.letsencrypt.org/acme/new-order"](https://acme-v02.api.letsencrypt.org/acme/new-order), "renewalInfo": " https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/ ", "revokeCert": ["https://acme-v02.api.letsencrypt.org/acme/revoke-cert"](https://acme-v02.api.letsencrypt.org/acme/revoke-cert) , "uAWyvDblyZ8": " https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417 " } 2024-05-04 18:01:11,194:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for hermes.corp.networkingtechnology.org 2024-05-04 18:01:11,262:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0022_key-certbot.pem 2024-05-04 18:01:11,267:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0022_csr-certbot.pem 2024-05-04 18:01:11,268:DEBUG:acme.client:Requesting fresh nonce 2024-05-04 18:01:11,268:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 2024-05-04 18:01:11,410:DEBUG:urllib3.connectionpool: https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 2024-05-04 18:01:11,411:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 04 May 2024 16:01:11 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index" Replay-Nonce: KBbvukTeKRcbsdrs2FeJLA4WWafHuKSrgxjmzp3bWpFbM2F26_s X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 2024-05-04 18:01:11,411:DEBUG:acme.client:Storing nonce: KBbvukTeKRcbsdrs2FeJLA4WWafHuKSrgxjmzp3bWpFbM2F26_s 2024-05-04 18:01:11,411:DEBUG:acme.client:JWS payload: b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "hermes.corp.networkingtechnology.org"\n }\n ]\n}' 2024-05-04 18:01:11,416:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIktCYnZ1a1RlS1JjY nNkcnMyRmVKTEE0V1dhZkh1S1NyZ3hqbXpwM2JXcEZiTTJGMjZfcyIsICJ1cmwiOiAiaHR0 cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0", "signature": "XaGgAkITrELSWn8yNw1knYUmZQPYaxaOzqjfGoNRuU_96nnKYzldv877Fz_s_11akmq9HI 9VvG59SNojvchUyhtOPiyhe09F1TiS6FB6kFy0sNS37lja -- vZXr7saZhZThCiWphDmxTsVlqeiExYDAdqo8h4gzV6vkadJWcs89r1_kK70c_vNrAFX62- 0OpmWdbXPF71KY3KLDfTehWewLMj8t9czHmNBrJYyDjibGOBt7lj-ffldO5r5dvM- TXGMPc_g8eb0X_SlZe2ZrjwykUteoKxjBawNdzC5By- 2CRwuHroMkHiKScVxveB8uM0f0nRQ2fEyTK-pDsuqnsalg", "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgIC AgInZhbHVlIjogImhlcm1lcy5jb3JwLm5ldHdvcmtpbmd0ZWNobm9sb2d5Lm9yZyIKICAgI H0KICBdCn0" } 2024-05-04 18:01:11,712:DEBUG:urllib3.connectionpool: https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 361 2024-05-04 18:01:11,713:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Sat, 04 May 2024 16:01:11 GMT Content-Type: application/json Content-Length: 361 Connection: keep-alive Boulder-Requester: 715419687 Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index" Location: https://acme-v02.api.letsencrypt.org/acme/order/715419687/266556310727 Replay-Nonce: RHbEAk-J5PalfnXb85wH7mTHEmOlzQi7DjAvXtPrC69nX3Jz2jc X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "status": "pending", "expires": "2024-05-11T16:01:11Z", "identifiers": [ { "type": "dns", "value": "hermes.corp.networkingtechnology.org" } ], "authorizations": [ ["https://acme-v02.api.letsencrypt.org/acme/authz-v3/346630405497"](https://acme-v02.api.letsencrypt.org/acme/authz-v3/346630405497) ], "finalize": " https://acme-v02.api.letsencrypt.org/acme/finalize/715419687/266556310727 " } 2024-05-04 18:01:11,713:DEBUG:acme.client:Storing nonce: RHbEAk- J5PalfnXb85wH7mTHEmOlzQi7DjAvXtPrC69nX3Jz2jc 2024-05-04 18:01:11,714:DEBUG:acme.client:JWS payload: b'' 2024-05-04 18:01:11,717:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/346630405497: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIlJIYkVBay1KNVBhb GZuWGI4NXdIN21USEVtT2x6UWk3RGpBdlh0UHJDNjluWDNKejJqYyIsICJ1cmwiOiAiaHR0 cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzQ2NjM wNDA1NDk3In0", "signature": "JViY2DJFrZwepZm3jlktZvZtzTxkaf7HLOFDqLEfIrEeIQwXdf0KHKsjzju3rb_i8mduHt T2o-sN- MsbAr2iA8D9u3WpT5UtQFJcw4aFXRhUYqsAOqJGZasDCeKvAX_oDALPLQo8N2T0D3G1b5st a1lolH6Jn5erl3XsMZYsRrBmpLd3c9nzirGyO1nik-ggw75Go- dlmHidaoDcphAHRJXK71AC- _oEpBB1OQ_k4PyIitcTQ3TCGzocO36PPRL9kcnkP34bKs737vLArP- VORpM58QJo6KzgLcg4p00F2_SsZBJVQcxDkRctGYwq15bLNW9NnajEhgT-kEPke1SqQ", "payload": "" } 2024-05-04 18:01:11,863:DEBUG:urllib3.connectionpool: https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz- v3/346630405497 HTTP/1.1" 200 820 2024-05-04 18:01:11,864:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 04 May 2024 16:01:11 GMT Content-Type: application/json Content-Length: 820 Connection: keep-alive Boulder-Requester: 715419687 Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index" Replay-Nonce: KBbvukTeZYhu2DAja2ukKQQ0xB937qOaZKWPiRlvk8nfSc-wb14 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "hermes.corp.networkingtechnology.org" }, "status": "pending", "expires": "2024-05-11T16:01:11Z", "challenges": [ { "type": "http-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/346630405497/SQDwCg" , "token": "XgJNxlInRE9ScIrTNIQTUHtQ6ctvwjxx57CLjWfj1i4" }, { "type": "dns-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/346630405497/8AQ_RA" , "token": "XgJNxlInRE9ScIrTNIQTUHtQ6ctvwjxx57CLjWfj1i4" }, { "type": "tls-alpn-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/346630405497/_Y2ikA" , "token": "XgJNxlInRE9ScIrTNIQTUHtQ6ctvwjxx57CLjWfj1i4" } ] } 2024-05-04 18:01:11,864:DEBUG:acme.client:Storing nonce: KBbvukTeZYhu2DAja2ukKQQ0xB937qOaZKWPiRlvk8nfSc-wb14 2024-05-04 18:01:11,865:INFO:certbot._internal.auth_handler:Performing the following challenges: 2024-05-04 18:01:11,865:INFO:certbot._internal.auth_handler:http-01 challenge for hermes.corp.networkingtechnology.org 2024-05-04 18:01:11,872:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: hermes.corp.networkingtechnology.org in: /etc/httpd/conf.d/hermes.corp.networkingtechnology.org.conf 2024-05-04 18:01:11,873:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/httpd/conf.d/ssl.conf 2024-05-04 18:01:11,874:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text: RewriteEngine on RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ */var/lib/letsencrypt/http_challenges/*$1 [END] 2024-05-04 18:01:11,874:DEBUG:certbot_apache._internal.http_01:writing a post config file with text: <Directory /var/lib/letsencrypt/http_challenges> Require all granted </Directory> <Location /.well-known/acme-challenge> Require all granted </Location> 2024-05-04 18:01:11,956:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/hermes.corp.networkingtechnology.org.conf 2024-05-04 18:01:11,957:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/ssl.conf 2024-05-04 18:01:15,222:DEBUG:acme.client:JWS payload: b'{}' 2024-05-04 18:01:15,227:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/346630405497/SQDwCg: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIktCYnZ1a1RlWllod TJEQWphMnVrS1FRMHhCOTM3cU9hWktXUGlSbHZrOG5mU2Mtd2IxNCIsICJ1cmwiOiAiaHR0 cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMzQ2NjM wNDA1NDk3L1NRRHdDZyJ9", "signature": "QMJxgBLdwEmd5QTJgLMF9cTj1uylSDLb7xfhtgyCOwfBvlFz9hsBavZbreNt0OQlOP3IPi 1AXRCDqw24d60QedkIn1lH0vD-FqY2HLV7DysifjrFiLcp5NoIKHc4KqOMiORqq_RV9fRc- kv5x9qY-H-QExow- NWUsmYW7UcWJxU6_dTKoH4qcyhHhzWdnSa6rohboRz1ZLXnsrwyuPWFhATmcsZb9GuKryE4 orleLuiVM2mqu7k8mTxCvrrR68e8QT4SjJV5iczbdopVrhTs8vT8VZzM1x5NCo1co58ztr2 3sQWhpUdBQVcMJbievKEKq7saVbESVAgaaNHH8KCpTQ", "payload": "e30" } 2024-05-04 18:01:15,382:DEBUG:urllib3.connectionpool: https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall- v3/346630405497/SQDwCg HTTP/1.1" 200 187 2024-05-04 18:01:15,384:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Sat, 04 May 2024 16:01:15 GMT Content-Type: application/json Content-Length: 187 Connection: keep-alive Boulder-Requester: 715419687 Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index", < https://acme-v02.api.letsencrypt.org/acme/authz-v3/346630405497>;rel="up " Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/346630405497/SQDwCg Replay-Nonce: RHbEAk-JwAnreFU1ywrLZWhnpaplWgwiMPD5gzXRMJETn6Mc_9Y X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

That's not the entire log and the specific error in the log is missing, but we can fetch it from the authorization:

During secondary validation: 79.132.230.58: Fetching http://hermes.corp.networkingtechnology.org/.well-known/acme-challenge/XgJNxlInRE9ScIrTNIQTUHtQ6ctvwjxx57CLjWfj1i4: Timeout during connect (likely firewall problem)

Are you blocking AWS entirely by any chance? Or from certain parts of the world?

No, I'm saying part of the Let's Encrypt infrastructure runs on aws and blocking their subnets might interfere with validation.

Only the onece that continually scratch at my servers giving multiple 404 errors and those who try to login to my mail server.. They get blocked by Fail2Ban and when they persist thery go onto the firewall I don't block AWS subnets, only individual IP's

So what you are saying is that Jeff Bizos has power to dig around in your private servers and so does Bill Gates and if you don't like it TOUGH, services stop working. Verizon, that also supply certificates actively try to hack my mail server and brute force guess the user passwords as well.

I wonder how many people are aware of this. What happened to PRIVACY.

It's easy to say, this is all innocent and is there to protect us. What would happen if I go down the street checking everyone's doors and windows. Only to be helpful (of course I won't actually TELL them if I find a breech), but I'm doing good—honest. I wonder how far I would get before the cops arrested me?

<hmm, I can sell all this info and buy yet another luxury yacht. A man in my position can never own too many or too much.>

Do you allow logins via HTTP?
If so, that is a much bigger problem that anything I've read here [so far].
If not, then how are you confusing/combining the two into one single defensive rule?

You know that a whole lot of people, organizations, and companies use AWS, right? So these attacks may be coming from computers that Amazon owns, but they're being used by other folks.

One of those organizations that use AWS servers is Let's Encrypt. So if you're blocking AWS as a whole (which you still haven't answered), that would be your problem. Block it or not, but accept the consequences either way.

I would highly recommend he secure his public facing mail interface.
I am certain most of those entries in his logs indicate someone is "knocking on his door". Many of those may come from AWS locations.
@HankM If you seriously scrutinize your log files, you may discover that you might have blocked the wrong IP(s).. At least the ones that matter.

The fact the IP address is owned by AWS or Verizon doesn't mean it's actually Amazon or Verizon doing the """hacking""" (big word for such lame brute force login attacks, hardly worth the word, if at all).

Please don't spread FUD. And also, again, what does this all have to do with privacy? Please don't shout random words without any connection.

You do realise script kiddies are simply scanning the entire IPv4 address space automated? a) it's not personal and b) there's no conspiracy here what so ever.

You misunderstand. YES, I allow logins, but only from selecetd people in my circle. So they can get to the sites, but Registration is disabled. Invitation ONLY

Yes I answered I do NOT block AWS subnets only AWS IP addresses that try to gain access to my servers without any invitation.

I was not aware that AWS needs to probe my servers creating 404 errors more than 3 times over 3 different occasions, merely to allow me to renew a certificate.

Nor was I aware that they had to be allowed to try to guess the passwords of all the users of my mail server.

I don't care if it's Amazon that's doing it or their users. IMO if you want to run a hosting company you should ensure that you don't allow spammers and hackers to be operators. I think EVERYONE on Digital Ocean is either spewing spam or a member of a bot. Wgat do they do about it? NOTHING. Seems AWS has the same policy.

"We don't care if you rob old people of their life savings as long as you pay your subscription every month. F. the old age pensioner, they ain't my problem. I need a new 'plane to show my support for global warming."

IMO companies should be trying to STOP cybercrime, not actively encouraging it.

I can';t arugue with that you are priobebly correct, buy unfortunately, I have no idea what IPaddresses I should allow, and which I should ban. They don't pop up with a ,essage "Hey, I'm trying to renew your certificate."

I can also understand why they don't want to make these IP Addresses public, but then they should be more RESPONSIBLE and kick off the damn criminals!

So bots with several hundred computers attempting to gain access to ANYTHING on your compter or servers ois OK. So why are they shouting about Cybercrime, Election Interference, Russian Hackers, Chinese Hackers iif its all perfectly OK and as mere users we should grin and bear it whilst the 'elite' can bitch and whine 24 x 7.

I am well aware that it's USERS on AWS doing the cybercrime, but if I employ several hundred people to go around picking people's pockets, robbing old people, breaking into houses, when one or more of my "gang" is caught and says "I work for this guy". Is the law going to shrug and say "Yeah, OK, he's a busy guy, let's turn a blind eye?"

If my dog runs out and bites someone. Is that OK, just penalize the dog? "Okay, the owner is a busy guy (and has more money that he knows what to do with). We just give him a fine he can pay out of his loose change?

There's a ton of censorship on the internet Tons of 'fact checkers'. Isn't it time we hired some sheriffs to stop the criminals? Oh, I guess not because its the people allowing the crime that are rolling in cash and we have to lick their boots and shut up!

I don't use Roundcube, I use Postfix and Dovecot.