Hi Timo:

My question was because constantly we received brute force attack from
some of ip address which uses pop3 service to affect dovecot's login

For example:

Error: Temporary failure in creating login processes, slowing down for now
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<admin>,
method=PLAIN, rip=A.B.C.D, Info: Aborted login (auth failed, 1
attempts): user=<useradmin>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<admin123>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<administrator>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<adm>,
method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
auth(default): Info: shadow(best,A.B.C.D): unknown user
dovecot: Error: pipe() failed: Too many open files
dovecot: Error: Temporary failure in creating login processes, slowing
down for now

In the log above from dovecto.log file, we observed a lot of conections
from IP address A.B.C.D to our email server with ip address X.Y.Z.A
using pop3 login process.

Is possible prevent this type of attacks with any dovecot option (maybe
limit the number of max connections from one ip address or maybe
upgrading my dovecot version)?

Thanks for you help and time.


El 23/02/2012 05:21 p.m., Timo Sirainen escribió:
> On 24.2.2012, at 0.33, Wilberth Perez wrote:
>> Does any one , knows if is possible configure dovecot for limit max
>> number of connections for IP address?
>> I would  like to prevent future fork-bombing attacks for pop3 and imap
>> login process in my email server.
>> Our dovecot version is : 1.2.10
> There is mail_max_userip_connections setting which limits IP+username 
> combination. Typically that should be enough to prevent fork bombing, because 
> users normally don't have more than one account.
> Or you mean when some IP keeps connecting even without actually loggin in? 
> http://wiki.dovecot.org/LoginProcess has some settings related to this, which 
> should normally be quite helpful if the limits are right.

Attachment: smime.p7s
Description: Firma criptográfica S/MIME

Reply via email to