Re: [mailop] Roundcube client IPs → dovecot, postfix

Thu, 30 Dec 2021 10:59:31 -0800 

On Thu, 30 Dec 2021, Nicolas JEAN via mailop wrote:


Il 29/12/2021 07:05, Slavko via mailop ha scritto:

I am not sure if that matters. IMO , when dovecot's auth policy will
reject the later (with real RIP), the roundcube's content will be empty
(at least i hope), and client's IP will be blocked by fail2ban soon or
latter. Or i am wrong?



From my understanding and tests, the first IMAP login attempt forwarded to 
dovecot is the actual login to roundcube.
Therefore all later IMAP connections happen if and only if the first one was 
successful (legitimate user, or breach -- password found by attacker).



Is the first auth request to dovecot the first login attempt to roundcube 
or the first *successful* login attempt to roundcube ?

Or does it depend on whether roundcube is using dovecot authentication
(as at least on SMTP server can) ?


So I really want dovecot to know the originating IP for the _first_ login 
attempt.
Because brute-force and other attacks are going to fail at the roundcube 
login phase... until they've tried enough times to guess user passwords.



In order to stop attackers from guessing passwords on roundcube, I need 
dovecot to know the originating IPs at roundcube login phase. Then when some 
IP has failed X times to log in to roundcube, dovecot will block it.



*If* roundcube only passes successful logins to dovecot (my first 
question above) this wont work.



*Why not just fail2ban roundcube plugin?*


Brute-force protection can also be achieved by fail2ban, as mentioned by 
others.
But there are scenarios of attackers trying to evade brute-force detection by 
making password guesses only once in a while, e.g. every 30 minutes in my 
experience, from many IPs (botnet). See for example this story 
<https://security.stackexchange.com/questions/174405/someone-is-trying-to-brute-force-my-private-mail-server-very-slowly>.


If they are using a botnet the IP addresses are much less helpful
for spotting the attack.


In such cases of fail2ban bypassing, having a second banning mechanism can 
bring additional security, or peace of mind -- at least it does for me.


--
Andrew C. Aitchison                                     Kendal, UK
                        and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to