On 03/04/2015 05:03 AM, Earl Killian wrote:
> I would like to reiterate Reindl Harald's point above, since subsequent
> discussion has gotten away from it. If Dovecot had DNS RBL support
> similar to Postfix, I think quite a few people would use it, and thereby
> defeat the scanners far more effectively than any other method. It is
> good that other people are suggesting things that will work today, but
> in terms of what new feature would be the best solution, I can't think
> of one better than a DNS RBL.
I've *seen* mailservers after an external DNSBL configured into them
became defunct or unreachable, and "better", much less "the best
solution", is not how *I* would rank the result in comparison to local
rate limiting. (Note that, unlike in the case of spam and SMTP, allowing
a couple POP/IMAP connection attempts until the limit strikes is
unlikely to become visible to the legit userbase.)
Which is not to say that such a feature should not be implemented -
after all, Jim said that he compiled the 45k list *himself*, so it would
be a *locally administered* DNSBL for him.
On 03/03/2015 10:43 PM, Reindl Harald wrote:
> the problem is the "in a secure way"
>
> that's not really possible when you mangle firewall rules which implies
> root permissions - as RBL request is just a DNS request which don't need
> *any* permissions on the machine which does the request
>
> the other problem is mangle firewall rules in context of existing
> infrastructures is error prone - you may interfere existing rulesets
> - it's a bad idea to start with
That's a lot of smoke you're blowing at a firewall that hasn't been
specified beyond "it's *not* iptables".
FWIW, *if* it were iptables, something along the lines of "-d myserver
--dport 993 --state NEW -j (NF)QUEUE" would happily pass *only* the
incoming IMAPS connections to a decision-maker running in userspace.
Regards,
J. Bern
--
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
