Nick Edwards writes:
I thought Timo once said dovecot had tarpitting, its useless if it is
there, and if it is, it needs user configurable timings, or maybe its
one of those things thats been in the gunna happen list
for a long time, like other stuff
If I remember correctly, I think this was the "auth_failure_delay"
feature. However, these delays are only inserted into the same
session -- no IP tracking is done so a BFD attacking host can just
keep opening up new connections.
Dave McGuire writes:
Please add this support to iptables instead of Dovecot. It's a
waste of effort to code it into every application that listens on
the network.
<head explodes>
Would you care to integrate it into IOS on my Cisco as well?
There are things connected to the Internet that aren't PCs running
Linux, you know. It may be hard to accept, but that's the way it is.
I assume your dovecot runs on some kind of *nix
Of course. I run it under Solaris.
Oddly enough, if you run some versions of Solaris, it uses IPFilter
as the native firewall, and it *does* have userland hooks so that you
can make pass/block decisions based on userland executable. Not well
documented though (see auth rules).
You would need a firewall rule like
auth in proto tcp from any to any port = 143 flags S/SA keep state
then write a program that does ioctl(ipauth) calls to inspect and
accept/reject packets; not for the faint of heart. However, you can use
whatever weird and wonderful methods you want to determine IMAP/POP/SMTP
network access policy, including DNSRBL or parsing a text file.
This thread seems to be spinning into non-dovecot subjects, and I'm not
helping, so I'll stop.
Joseph Tam <jtam.h...@gmail.com>
