> On 09/06/2024 16:50 EEST John Fawcett via dovecot <dovecot@dovecot.org> wrote: > > > The files themselves didn't make it through the list server. I'll try > with .txt > > > On 09/06/2024 15:42, John Fawcett via dovecot wrote: > > Hi > > > > Just in case this is useful more generally, I'm posting it to the list. > > > > While Dovecot has an access control via allow_nets, it is a user > > database field that applies only at the authentication stage to deny > > access for the specific user when there is a connection attempt from > > an unauthorized ip for that user. > > > > https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ > > > > I don't believe there is anything that checks access at connect time > > to deny unwanted traffic prior to authentication, for example from > > compromised machines, botnets etc. Though failed connection attempts > > do not appear to be a significant issue, maybe better to add some > > safety net for the future. > > > > The attached patch is proof of concept code that introduces the > > parameters rbl_check and rbl_check_timeout (msecs) to the protocol > > section. Tested for imap, pop3 and sieve. The following is an example > > for sieve. > > > > protocol sieve { > > rbl_check = zen.spamhaus.net=127.0.0.4 > > > > rbl_check_timeout = 5000 > > > > } > > > > If the lookup results in a hit the client is disconnected with a BYE > > "Disconnected for policy." message and the logs report: > > > > Jun 09 12:00:56 server.example.com dovecot[977650]: > > managesieve-login: Disconnected: Policy (disconnected before auth was > > ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n > > > > The patch also makes the number of pre-login errors and post-login > > errors configurable (max_login_command_errors and max_command_errors > > respectively) for pop3, imap and sieve protocols . > > > > protocol sieve { > > > > max_command_errors = 1 > > max_login_command_errors = 1 > > > > } > > > > A potential extension to the logic would be "allow_nets" and > > "disallow_nets" parameters or maybe something more sophisticated to > > allow ips/networks that would otherwise be blocked or deny additional > > ips/networks. > > > > John > >
How is this different than using weakforced which already supports rbl? Or doing this in auth lua? Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
