On 03/07/13 05:24, Professa Dementia wrote: > On 7/2/2013 7:11 PM, Stan Hoeppner wrote: >> On 7/2/2013 8:32 PM, Professa Dementia wrote: >>> On 7/2/2013 6:21 PM, John Fawcett wrote: >>>> dnsbl's are a popular method to prevent listed ips from making >>>> connections to mta software. >>>> >>>> cf. postscreen_dnsbl_sites in postfix >>>> >>>> Would it be possible to introduce such a feature in dovecot, so that >>>> connections can be denied >>>> based on a dnsbl lookup (where the precise dnsbls used are configurable)? >>>> >>>> John >>>> >>> Let's back up a bit. This does not seem like a feature that Dovecot needs. >>> >>> Rather, what problem are you trying to solve? Maybe there is an >>> existing or better way to accomplish it. >> Based on John's recent thread on postfix-users on the same general >> subject, I'd guess he's trying to stop rouge/malicious connections. >> > That's my point. A self run IP blackhole list is almost useless. > Distributed RBLs are much more effective. However, existing ones are > based on spam sources, not malicious connections to POP or IMAP servers. > > Knowing the problem would be beneficial in determining a good solution. > For certain types of connection abuse, Fail2Ban works remarkably well. > But, without knowing his exact problem, it may not be the correct solution. > > Dem The point is to stop spambot connections to pop and imap (which are usually done to try and steal credentials).
I already use fail2ban to stop brute force attacks but that means that each one has to be allowed to connect a specified number of times and trigger the filter. I was imagining a distributed solution which is already in use in many mtas applied also to imap and pop so that connections could be stopped from the first one. I am assuming that if there is such a feature then data is available (e.g. sorbs) or if not yet being collected that it could be done. John