Hi
Just in case this is useful more generally, I'm posting it to the list.
While Dovecot has an access control via allow_nets, it is a user
database field that applies only at the authentication stage to deny
access for the specific user when there is a connection attempt from an
unauthorized ip for that user.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I don't believe there is anything that checks access at connect time to
deny unwanted traffic prior to authentication, for example from
compromised machines, botnets etc. Though failed connection attempts do
not appear to be a significant issue, maybe better to add some safety
net for the future.
The attached patch is proof of concept code that introduces the
parameters rbl_check and rbl_check_timeout (msecs) to the protocol
section. Tested for imap, pop3 and sieve. The following is an example
for sieve.
protocol sieve {
rbl_check = zen.spamhaus.net=127.0.0.4
rbl_check_timeout = 5000
}
If the lookup results in a hit the client is disconnected with a BYE
"Disconnected for policy." message and the logs report:
Jun 09 12:00:56 server.example.com dovecot[977650]:
managesieve-login: Disconnected: Policy (disconnected before auth was
ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n
The patch also makes the number of pre-login errors and post-login
errors configurable (max_login_command_errors and max_command_errors
respectively) for pop3, imap and sieve protocols .
protocol sieve {
max_command_errors = 1
max_login_command_errors = 1
}
A potential extension to the logic would be "allow_nets" and
"disallow_nets" parameters or maybe something more sophisticated to
allow ips/networks that would otherwise be blocked or deny additional
ips/networks.
John
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
