from:"Tony Nelson"

Re: [Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

2010-04-04 Thread Tony Nelson

On 10-04-04 19:59:43, Tony Nelson wrote:
> On 10-04-04 14:07:49, Thomas Leuxner wrote:
> > Am 04.04.2010 um 19:53 schrieb Tony Nelson:
> > 
> > > I retrieve my mail from dovecot over POP3.  Sometimes dovecot
> > > delivers a message into the spam mailbox, even though I have no
> > > spam filtering enabled.
> > 
> > Dovecot does not do that. Your MUA such as Thunderbird might do
> this,
> > or a milter or some other process on your MTA may do that, but
> > Dovecot won't (unless you tell it to sieve mail for you and file
> into
> > the spam mailbox).
> 
> Well, here is something you do not know about dovecot.
> 
> []# zgrep 'dovecot.*spam' /var/log/maillog-20100404.gz
> Apr  3 17:14:12 rapidxen dovecot: deliver(tonynelson):  
> msgid=<164696033923172620...@xpsp5>: saved mail to spam
> []#
> 
> deliver sends the message wherever it is directed, apparently in this
> case by an anti-spam header added by an intermediate mail server.
 ...

Bah.  After figuring out how deliver was being run, which I see is in 
the /etc/procmailrc I copied from the Dovecot WIKI[1], all I have to do 
is comment out the extra lines[2] that direct spam elsewhere.  Those 
lines are probably needed under some circumstances.
 
[1] <http://wiki.dovecot.org/procmail>
[2] :0 w
* ^X-Spam-Status: Yes
| $DELIVER -m spam

-- 

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>

Re: [Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

2010-04-04 Thread Tony Nelson


On 10-04-04 14:07:49, Thomas Leuxner wrote:

Am 04.04.2010 um 19:53 schrieb Tony Nelson:

> I retrieve my mail from dovecot over POP3.  Sometimes dovecot
> delivers a message into the spam mailbox, even though I have no
> spam filtering enabled.

Dovecot does not do that. Your MUA such as Thunderbird might do this,
or a milter or some other process on your MTA may do that, but
Dovecot won't (unless you tell it to sieve mail for you and file into
the spam mailbox).


Well, here is something you do not know about dovecot.

[]# zgrep 'dovecot.*spam' /var/log/maillog-20100404.gz
Apr  3 17:14:12 rapidxen dovecot: deliver(tonynelson):  
msgid=<164696033923172620...@xpsp5>: saved mail to spam

[]#

deliver sends the message wherever it is directed, apparently in this
case by an anti-spam header added by an intermediate mail server.  3
out of 4 messages in .spam are not spam.  I need to either change
dovecot or deliver to always use the regular "new" mailbox, or
retrieve POP3 mail from mailboxes other than that "new" mailbox.

[]# dovecot -n
# 1.2.10: /etc/dovecot.conf
# OS: Linux 2.6.26-1-xen-amd64 x86_64 CentOS release 5.4 (Final)
listen: *
max_auth_attempts: 1
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_processes_count: 1
login_max_processes_count: 4
max_mail_processes: 8
mail_location: maildir:~/mail
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
pop3_no_flag_updates(default): no
pop3_no_flag_updates(imap): no
pop3_no_flag_updates(pop3): yes
lda:
  postmaster_address: postmas...@rapidxen.georgeanelson.com
auth default:
  failure_delay: 5
  worker_max_count: 2
  passdb:
driver: pam
args: session=yes dovecot
  userdb:
driver: passwd
  socket:
type: listen
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  group: mail
[]#

--

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>

[Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

2010-04-04 Thread Tony Nelson

I retrieve my mail from dovecot over POP3.  Sometimes dovecot delivers 
a message into the spam mailbox, even though I have no spam filtering 
enabled.  I can't find anything in the wiki about "other" mailboxes and 
POP3.  I want to either never deliver mail in any mailbox other than my 
default inbox, or be able to retrieve mail over POP3 from those other 
mailboxes.  How do I do them?

-- 

TonyN.:'   
  '

Re: [Dovecot] Limit login attempts per connection?

2010-03-10 Thread Tony Nelson

On 10-03-10 07:09:45, Marcus Rueckert wrote:
> On 2010-03-09 21:07:42 -0800, Terry Barnum wrote:
> > > On Fri, 05.03.2010 at 09:44:35 +, Ed W 
> > > wrote:
> > >> I would be all in favour of a setting like this because it's
> > >> easier to configure than fail2ban...
> > 
> > There's also denyhosts. 
> 
> http://snowman.net/projects/ipt_recent/
 ...
> really nice iptables module

Unlike fail2ban and denyhosts, using the recent module needs dovecot
to close the connection upon authentication failure, as iptables only 
(normally) comes in to play for new connections, so it only really 
works with a patch like mine.

If you are using the recent module, you probably should also get 
Alexander Zangerl's pam_recent pam module, so that successful logins 
aren't counted against the IP.

-- 

TonyN.:'   
  '

Re: [Dovecot] Limit login attempts per connection?

2010-03-07 Thread Tony Nelson

On 10-03-04 23:43:25, Tony Nelson wrote:
> On 10-03-04 20:22:15, Frank Cusack wrote:
> > On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
> > > Looking at the source, I see that there are no options.  It
> > > tarpits a bit, but currently has no limit on the number of 
> > > attempts.  I'll see what I can do.
> > 
> > I think it's a brilliant idea.  After one login attempt, all others
> > on the same connection should fail.
> 
> A fan!  Anyway, there should at least be a choice.  Not that I've
> coded a choice, just a dumb patch -- see attachment.  It's a bit of a
> compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower
> it to 2.

New patch with conf file setting "max_auth_attempts".  The default is 0 
and means no limit; non-zero disconnects after that many login 
failures.  I put it in the main area of the conf file, but IIUC it 
should also work in the pop3 or imap sections and only affect that 
server.  It doesn't affect the tarpitting.

When using it with an IPTables "recent" module rule, set it to 1.
 
-- 

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>

diff -ur dovecot-1.2.10.orig/dovecot-example.conf dovecot-1.2.10/dovecot-example.conf
--- dovecot-1.2.10.orig/dovecot-example.conf	2010-03-07 02:05:08.0 -0500
+++ dovecot-1.2.10/dovecot-example.conf	2010-03-08 00:51:30.0 -0500
@@ -47,6 +47,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = no
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to "no" means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/dovecot-example.conf.default-settings dovecot-1.2.10/dovecot-example.conf.default-settings
--- dovecot-1.2.10.orig/dovecot-example.conf.default-settings	2010-03-07 02:05:08.0 -0500
+++ dovecot-1.2.10/dovecot-example.conf.default-settings	2010-03-08 01:03:53.0 -0500
@@ -51,6 +51,11 @@
 # connection is considered secure and plaintext authentication is allowed.
 #disable_plaintext_auth = yes
 
+# Limit the number of failed authentication attempts per connection.  0
+# means no limit.  Tarpitting by 5 seconds more each failure is not
+# affected.
+#max_auth_attempts = 0
+
 # Should all IMAP and POP3 processes be killed when Dovecot master process
 # shuts down. Setting this to "no" means that Dovecot can be upgraded without
 # forcing existing client connections to close (although that could also be
diff -ur dovecot-1.2.10.orig/src/imap-login/client-authenticate.c dovecot-1.2.10/src/imap-login/client-authenticate.c
--- dovecot-1.2.10.orig/src/imap-login/client-authenticate.c	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/imap-login/client-authenticate.c	2010-03-08 00:41:46.0 -0500
@@ -266,6 +266,7 @@
 	const char *msg;
 	size_t data_len;
 	bool nodelay;
+	extern unsigned int max_auth_attempts;
 
 	i_assert(!client->destroyed ||
 		 reply == SASL_SERVER_REPLY_AUTH_ABORTED ||
@@ -286,8 +287,12 @@
 		if (client->to_auth_waiting != NULL)
 			timeout_remove(&client->to_auth_waiting);
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, &nodelay))
+			if (client_handle_args(client, args, FALSE, &nodelay)) {
+/*GAN 04Mar10  restrict auth attempts */
+if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+	client_destroy(client, "Too many auth attempts.");
 break;
+			}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -298,8 +303,12 @@
 			msg = t_strconcat("NO [ALERT] ", data, NULL);
 		client_send_tagline(client, msg);
 
-		if (!client->destroyed)
+		if (!client->destroyed) {
+			/*GAN 04Mar10  restrict auth attempts */
+			if (max_auth_attempts && client->common.auth_attempts >= max_auth_attempts)
+client_destroy(client, "Too many auth attempts.");
 			client_auth_failed(client, nodelay);
+		}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)
diff -ur dovecot-1.2.10.orig/src/login-common/main.c dovecot-1.2.10/src/login-common/main.c
--- dovecot-1.2.10.orig/src/login-common/main.c	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/login-common/main.c	2010-03-08 00:41:46.0 -0500
@@ -29,6 +29,7 @@
 unsigned int login_process_uid;
 struct auth_client *auth_client;
 bool closing_down, capability_string_overridden;

Re: [Dovecot] Limit login attempts per connection?

2010-03-04 Thread Tony Nelson


On 10-03-04 20:22:15, Frank Cusack wrote:

On 3/4/10 6:42 PM -0500 Tony Nelson wrote:
> Looking at the source, I see that there are no options.  It tarpits
> a bit, but currently has no limit on the number of attempts.  I'll
> see what I can do.

I think it's a brilliant idea.  After one login attempt, all others
on the same connection should fail.


A fan!  Anyway, there should at least be a choice.  Not that I've coded
a choice, just a dumb patch -- see attachment.  It's a bit of a
compromise, with a hard-coded limit of 4 attempts.  Maybe I'll lower it
to 2.

--

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>
--- dovecot-1.2.10/src/pop3-login/client-authenticate.c.limitauth	2010-01-24 18:14:17.0 -0500
+++ dovecot-1.2.10/src/pop3-login/client-authenticate.c	2010-03-04 23:08:07.0 -0500
@@ -21,6 +21,7 @@
 
 #define POP3_SERVICE_NAME "pop3"
 #define AUTH_FAILURE_DELAY_INCREASE_MSECS 5000
+#define AUTH_ATTEMPT_LIMIT 3
 
 const char *capability_string = POP3_CAPABILITY_REPLY;
 
@@ -244,8 +245,12 @@
 	case SASL_SERVER_REPLY_AUTH_FAILED:
 	case SASL_SERVER_REPLY_AUTH_ABORTED:
 		if (args != NULL) {
-			if (client_handle_args(client, args, FALSE, &nodelay))
+			if (client_handle_args(client, args, FALSE, &nodelay)) {
+/*GAN 04Mar10  restrict auth attempts */
+if (client->common.auth_attempts > AUTH_ATTEMPT_LIMIT)
+client_destroy(client, "Too many auth attempts.");
 break;
+}
 		}
 
 		if (reply == SASL_SERVER_REPLY_AUTH_ABORTED)
@@ -256,8 +261,12 @@
 			msg = t_strconcat("-ERR ", data, NULL);
 		client_send_line(client, msg);
 
-		if (!client->destroyed)
+		if (!client->destroyed) {
+/*GAN 04Mar10  restrict auth attempts */
+if (client->common.auth_attempts > AUTH_ATTEMPT_LIMIT)
+client_destroy(client, "Too many auth attempts.");
 			client_auth_failed(client, nodelay);
+}
 		break;
 	case SASL_SERVER_REPLY_MASTER_FAILED:
 		if (data == NULL)

Re: [Dovecot] Limit login attempts per connection?

2010-03-04 Thread Tony Nelson

On 10-03-04 00:51:40, to...@tuxteam.de wrote:
> On Wed, Mar 03, 2010 at 03:39:28PM -0500, Tony Nelson wrote:
> > Dovecot allows a large number of login attempts per connection.  
> > I'd like to reduce that number to, say, 1, and let my firewall keep 
> > the ducks at bay,
> 
> If the firewall is the one to do the job, I'd recommend an external
> application like fail2ban. It watches the logs and bans IP addresses
> with too many failures -- the nice thing is that it's able to cover
> all applications listening on external ports. You can define patterns 
> in log files to which it has to react (but it comes with a good set 
> of pre-defined patterns -- at least on popular GNU/Linux distros).

I already have something that works with any program secure enough not 
to allow unlimited login attempts.  Using fail2ban might work if I 
configure it enough to sever existing connections.


> >   but I can't find anything in /etc/dovecot.conf or by
> > googling.  How do I do it?  Do I need to patch the source?
> 
> I don't know about such a setting (but I don't know everything about
> Dovecot either!). Anyway, then it'd still the Dovecot process dealing
> with the rouge login attempts -- it seems better to keep them at the
> firewall level with the approach above.

Yes, and I'm going to use the firewall -- once I can get Dovecot to 
limit the number of login attempts per connection.

Looking at the source, I see that there are no options.  It tarpits a 
bit, but currently has no limit on the number of attempts.  I'll see 
what I can do.

-- 

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>

Re: [Dovecot] Limit login attempts per connection?

2010-03-04 Thread Tony Nelson

On 10-03-03 23:01:58, Stan Hoeppner wrote:
> Tony Nelson put forth on 3/3/2010 2:39 PM:
> > Dovecot allows a large number of login attempts per connection.  
> > I'd like to reduce that number to, say, 1, and let my firewall keep 
> > the ducks at bay, but I can't find anything in /etc/dovecot.conf or 
> > by googling.  How do I do it?  Do I need to patch the source?
> > 
> > dovecot-1.1.10-1.x86_64 on CentOS 5.4
> 
> Can you tell us more about these unwanted login attempts?  Are you
> merely trying to stop Chinese et al hacker woodpeckering on your 
> IMAP/POP port(s) or something else?

Crackers, yes.  They're just the sort one doesn't want getting in to 
one's system, and the fewer tries they get the better.  But the reason 
is not important.

Looking at the source, I see that there are no options.  It tarpits a 
bit, but currently has no limit on the number of attempts.  I'll see 
what I can do.

-- 

TonyN.:'   <mailto:tonynel...@georgeanelson.com>
  '  <http://www.georgeanelson.com/>

[Dovecot] Limit login attempts per connection?

2010-03-03 Thread Tony Nelson

Dovecot allows a large number of login attempts per connection.  I'd 
like to reduce that number to, say, 1, and let my firewall keep the 
ducks at bay, but I can't find anything in /etc/dovecot.conf or by 
googling.  How do I do it?  Do I need to patch the source?

dovecot-1.1.10-1.x86_64 on CentOS 5.4

-- 

TonyN.:'   
  '

Re: [Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

Re: [Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

[Dovecot] POP3 how do I either retrieve spam or never put mail in spam?

Re: [Dovecot] Limit login attempts per connection?

Re: [Dovecot] Limit login attempts per connection?

Re: [Dovecot] Limit login attempts per connection?

Re: [Dovecot] Limit login attempts per connection?

Re: [Dovecot] Limit login attempts per connection?

[Dovecot] Limit login attempts per connection?

9 matches

Site Navigation

Mail list logo

Footer information