Re: [Dovecot] dnsbl feature for dovecot
Am 03.07.2013 20:53, schrieb Reindl Harald: > > > Am 03.07.2013 20:41, schrieb John Fawcett: >> On 03/07/13 18:40, Benny Pedersen wrote: >>> John Fawcett skrev den 2013-07-03 03:21: dnsbl's are a popular method to prevent listed ips from making connections to mta software. >>> >>> hmm are pop3/imap clients not authed users ? >>> >>> well done >>> >> in this case no, I am talking about connections from zombies > > have fun - most RBL's contains a lot of dialup-addresses > which makes sense to get rejected on a MTA until auth > but stupid to block completly without abuse users > just for info a botnet check ip service was anounced https://www.check-and-secure.com/ipcheck/_en/index.html it seems that they have some db with botnet ips, with "ttl" 15 mins but for sure this isnt a "traditional" rbl however it shows some people work on that stuff Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] dnsbl feature for dovecot
On 7/3/2013 2:30 PM, Joseph Tam wrote: > Brute force attempts are more intense, so I think these rules can be > set harder to not risk plunking your users into blacklist hell. Also, > some common role account (that don't exist on my system e.g. "admin") > will trigger an immediate blacklist here -- an easy way to shortcut > the process. Certainly, set the rules to whatever works for your system. My example is just what I used and it worked well for me. Your example is why I specified that an attempt to login as a blocked account does *not* extend the blocking time. Otherwise, you run the risk of a rolling block that goes on forever. Why are users on your system entering bad passwords all the time? Every major mail client can save passwords in a reasonably secure format so the feeble minded human is free of that burden. Even with webmail, the browser generally can save passwords. In fact, I feel this is safer. It eliminates keystroke loggers from getting the password. It also makes it easier to enforce strong passwords. If the user had to type in a 16 character strong password each time (such as HjY6##k,F8Dl9sy1), many of them would certainly complain loudly and often. However, if the user can enter that password once into their chosen software and not have to remember it again, you get good protection from brute force attacks and happy users. Typing a password once is much easier than even typing "cat" 50,000 times over the course of several years. Dem
Re: [Dovecot] dnsbl feature for dovecot
Professa Dementia writes: 2) Fail2Ban with rules that seem like they are pretty weak, but trust me, they work fine and you limit complaints from users. a) If you get 3 invalid login attempts within a minute from more than 1 IP address, block that login for 10 minutes. If you have blocked a login and another attempt to log in to that account is made then tarpit that connection. Usually 60 seconds is sufficient. Do not extend the original block time past the original 10 minutes. b) If you get 5 invalid login attempts within a minute from the same IP, block that IP for 5 minutes. This is usually a valid user who forgot their password, as opposed to a) which is usually a malicious third party. Looking at my POP3/IMAP logs, users enter wrong passwords all the time, then their mail client keeps trying to re-authenticate, giving the appearance of a slow rolling BFD. For example, I just grabbed this typical sample Jul 2 13:24:48 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:26:03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:26:13 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 9 secs): user= ... Jul 2 13:26:37 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:26:43 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:27:08 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:27:14 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:27:30 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:27:36 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Jul 2 13:27:51 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user= ... Brute force attempts are more intense, so I think these rules can be set harder to not risk plunking your users into blacklist hell. Also, some common role account (that don't exist on my system e.g. "admin") will trigger an immediate blacklist here -- an easy way to shortcut the process. I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks ... Maybe http://www.blocklist.de/en/index.html I use it for ssh BFD blocking, and it detects 2/3 of the IPs trying to do attempts. On their web page, they also list FTP, Web, and Mail login brute forcers, although I'm not sure whether "Mail" logins means IMAP, POP, SMTP-AUTH, or all of them. You can also integrate this with fail2ban so that not only can you use it to block, but can also contribute to the global detection of brute forcers. Joseph Tam
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 12:47, Professa Dementia wrote: > On 7/3/2013 12:35 AM, John Fawcett wrote: > >> The point is to stop spambot connections to pop and >> imap (which are usually done to try and steal >> credentials). > This is not the usual way spambots work. Generally, spambots scrape > addresses from various sources in order to get lists of emails to send > spam to. > > What you seem to be experiencing may be zombie nets trying to brute > force credentials so they can then send spam from compromised accounts. > This is a different beast with a different solution. Yes I have evidence that passwords found by brute force on pop3 were then used to send email via smtp. > > Regardless, you have a spcific problem that needs addressing. > > I ran an ISP for almost two decades and have dealt with these issues > myself. My recommendations: > > 1) Enforce strong user passwords. I use 12 characters minimum. 14 > characters or more would be better, but this length starts to make it > hard for mere humans to remember. Enforce a rule that the password > contains at least 2 or 3 of the following: lower case letter, upper case > letter, digit, and symbol which is not one of the prior three. > > Some systems require the user's password have all four. This actually > weakens the password (if you care to know why, I can go into the math in > a later post). > > After enforcing your chosen rules, run the password through cracklib > before accepting it from the user. Or even better, what I started doing > was having the system generate passwords and not let the user choose > their own. Initially people grumbled a bit, but they soon got used to > it and security was much better. > > > 2) Fail2Ban with rules that seem like they are pretty weak, but trust > me, they work fine and you limit complaints from users. > > a) If you get 3 invalid login attempts within a minute from more than > 1 IP address, block that login for 10 minutes. If you have blocked a > login and another attempt to log in to that account is made then tarpit > that connection. Usually 60 seconds is sufficient. Do not extend the > original block time past the original 10 minutes. > b) If you get 5 invalid login attempts within a minute from the same > IP, block that IP for 5 minutes. This is usually a valid user who > forgot their password, as opposed to a) which is usually a malicious > third party. > > Some of this you can do with off the shelf tools, some of it may require > some glue code (Perl or Python works nicely) on your part. If you can > implement this, it will stop the abuse cold. > > > 1) provides security and makes brute forcing infeasible. 2) helps > reduce load on your systems. these look like good suggestions. >> I was imagining a distributed solution which is already >> in use in many mtas applied also to imap and pop >> so that connections could be stopped from the first >> one. >> >> I am assuming that if there is such a feature then data is >> available (e.g. sorbs) or if not yet being collected that it >> could be done. > I feel your pain and frustration. I do not believe there is an RBL list > of offending IP's for brute force attacks and I think one would be hard > to build and keep up to date enough to be useful, since most of these > systems are compromised home computers, but they get fixed and there is > a lot of turnover - infected systems are repaired and new ones infected. > > Most of them are in the far east, so if you do not mind applying a > cudgel to the problem, you can block entire ranges of IPs altogether. > Of course, one of your users traveling to one of those areas would need > to use some other method to access email (mobile device, webmail, etc). > > Dem I take the point that ips in such a dnsbl would probably have a short life span. However, whatever may be the difficulties, such a list would not make sense if there is no functionality in the server to use it. I am going to look into Timo's suggestion though on tcpwrappers to see how this would work. John
Re: [Dovecot] dnsbl feature for dovecot
Am 03.07.2013 20:41, schrieb John Fawcett: > On 03/07/13 18:40, Benny Pedersen wrote: >> John Fawcett skrev den 2013-07-03 03:21: >>> dnsbl's are a popular method to prevent listed ips from making >>> connections to mta software. >> >> hmm are pop3/imap clients not authed users ? >> >> well done >> > in this case no, I am talking about connections from zombies have fun - most RBL's contains a lot of dialup-addresses which makes sense to get rejected on a MTA until auth but stupid to block completly without abuse users signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dnsbl feature for dovecot
John Fawcett skrev den 2013-07-03 20:41: in this case no, I am talking about connections from zombies. block client ip of the zombies, this is what iptables is for, or change rules to only have ports open for clients location, well dovecot supports ipblocking, but imho its not the right place to setup -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 18:40, Benny Pedersen wrote: > John Fawcett skrev den 2013-07-03 03:21: >> dnsbl's are a popular method to prevent listed ips from making >> connections to mta software. > > hmm are pop3/imap clients not authed users ? > > well done > in this case no, I am talking about connections from zombies.
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 18:44, Benny Pedersen wrote: > Timo Sirainen skrev den 2013-07-03 03:27: > >> You're talking about IMAP/POP3 connections? >> Possible, yeah .. possibly even without code changes by using >> tcpwrappers. > > why is it needed ? > > setup fail2ban to manange xtables-addons geoip csv files from abusers, > then use this csv file as A0 list in iptables, end result is low > memory footprint, it should not be a dovecot solotion > I would not see fail2ban as the only solution. On the mta I use both dnsbl and fail2ban and both help in their own ways to reduce/limit unwanted connections. I wouldn't consider adding large numbers of rules to iptables but I would consider querying a dnsbl which contained large numbers of ips, since the management of the data is then off the server. John
Re: [Dovecot] dnsbl feature for dovecot
John Fawcett skrev den 2013-07-03 09:40: Possible, yeah .. possibly even without code changes by using tcpwrappers. TImo, thanks for the reply. I will look into that suggestion. John if its implemented in dovecot possible use postfix memcached ?, so thay share cache data -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: [Dovecot] dnsbl feature for dovecot
Timo Sirainen skrev den 2013-07-03 03:27: You're talking about IMAP/POP3 connections? Possible, yeah .. possibly even without code changes by using tcpwrappers. why is it needed ? setup fail2ban to manange xtables-addons geoip csv files from abusers, then use this csv file as A0 list in iptables, end result is low memory footprint, it should not be a dovecot solotion -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: [Dovecot] dnsbl feature for dovecot
John Fawcett skrev den 2013-07-03 03:21: dnsbl's are a popular method to prevent listed ips from making connections to mta software. hmm are pop3/imap clients not authed users ? well done -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: [Dovecot] dnsbl feature for dovecot
On 7/3/2013 12:35 AM, John Fawcett wrote: > The point is to stop spambot connections to pop and > imap (which are usually done to try and steal > credentials). This is not the usual way spambots work. Generally, spambots scrape addresses from various sources in order to get lists of emails to send spam to. What you seem to be experiencing may be zombie nets trying to brute force credentials so they can then send spam from compromised accounts. This is a different beast with a different solution. Regardless, you have a spcific problem that needs addressing. I ran an ISP for almost two decades and have dealt with these issues myself. My recommendations: 1) Enforce strong user passwords. I use 12 characters minimum. 14 characters or more would be better, but this length starts to make it hard for mere humans to remember. Enforce a rule that the password contains at least 2 or 3 of the following: lower case letter, upper case letter, digit, and symbol which is not one of the prior three. Some systems require the user's password have all four. This actually weakens the password (if you care to know why, I can go into the math in a later post). After enforcing your chosen rules, run the password through cracklib before accepting it from the user. Or even better, what I started doing was having the system generate passwords and not let the user choose their own. Initially people grumbled a bit, but they soon got used to it and security was much better. 2) Fail2Ban with rules that seem like they are pretty weak, but trust me, they work fine and you limit complaints from users. a) If you get 3 invalid login attempts within a minute from more than 1 IP address, block that login for 10 minutes. If you have blocked a login and another attempt to log in to that account is made then tarpit that connection. Usually 60 seconds is sufficient. Do not extend the original block time past the original 10 minutes. b) If you get 5 invalid login attempts within a minute from the same IP, block that IP for 5 minutes. This is usually a valid user who forgot their password, as opposed to a) which is usually a malicious third party. Some of this you can do with off the shelf tools, some of it may require some glue code (Perl or Python works nicely) on your part. If you can implement this, it will stop the abuse cold. 1) provides security and makes brute forcing infeasible. 2) helps reduce load on your systems. > I was imagining a distributed solution which is already > in use in many mtas applied also to imap and pop > so that connections could be stopped from the first > one. > > I am assuming that if there is such a feature then data is > available (e.g. sorbs) or if not yet being collected that it > could be done. I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks and I think one would be hard to build and keep up to date enough to be useful, since most of these systems are compromised home computers, but they get fixed and there is a lot of turnover - infected systems are repaired and new ones infected. Most of them are in the far east, so if you do not mind applying a cudgel to the problem, you can block entire ranges of IPs altogether. Of course, one of your users traveling to one of those areas would need to use some other method to access email (mobile device, webmail, etc). Dem
Re: [Dovecot] dnsbl feature for dovecot
On Wed, 03 Jul 2013 09:37:14 +0200 Robert Schetterer wrote: > Am 03.07.2013 05:24, schrieb Professa Dementia: > > On 7/2/2013 7:11 PM, Stan Hoeppner wrote: > >> On 7/2/2013 8:32 PM, Professa Dementia wrote: > >>> On 7/2/2013 6:21 PM, John Fawcett wrote: > dnsbl's are a popular method to prevent listed ips from making > connections to mta software. > > cf. postscreen_dnsbl_sites in postfix > > Would it be possible to introduce such a feature in dovecot, so that > connections can be denied > based on a dnsbl lookup (where the precise dnsbls used are configurable)? > > John > > >>> > >>> Let's back up a bit. This does not seem like a feature that Dovecot > >>> needs. > >>> > >>> Rather, what problem are you trying to solve? Maybe there is an > >>> existing or better way to accomplish it. > >> > >> Based on John's recent thread on postfix-users on the same general > >> subject, I'd guess he's trying to stop rouge/malicious connections. > >> > > > > That's my point. A self run IP blackhole list is almost useless. > > Distributed RBLs are much more effective. However, existing ones are > > based on spam sources, not malicious connections to POP or IMAP servers. > > > > Knowing the problem would be beneficial in determining a good solution. > > For certain types of connection abuse, Fail2Ban works remarkably well. > > But, without knowing his exact problem, it may not be the correct solution. > > > > Dem > > > > i think an auto dynamic user/ip based con limit might be best , but i > guess it will be difficult to implement, for this you need some log > analyser counting wrong auth user/ip pairs, invoking some action on the > fly , like throttle user from ip, and auto high user/ip login throttle > by adjustable time periods , also there must be some whitelist possible > One possibility for the connection limiting could be using the iptables hashlimit module. Getting the correct values for it might be a bit tricky, but maybe initially you could do logging on a dedicated iptables chain instead of drops to get some sample usage statistics. Then again, you should also be careful with hashlimit if you have large number of users coming from the same IP address (ISPs using NAT etc). Best regards -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 03:27, Timo Sirainen wrote: > On 3.7.2013, at 4.21, John Fawcett wrote: > >> dnsbl's are a popular method to prevent listed ips from making >> connections to mta software. >> >> cf. postscreen_dnsbl_sites in postfix >> >> Would it be possible to introduce such a feature in dovecot, so that >> connections can be denied >> based on a dnsbl lookup (where the precise dnsbls used are configurable)? > You're talking about IMAP/POP3 connections? > > Possible, yeah .. possibly even without code changes by using tcpwrappers. > TImo, thanks for the reply. I will look into that suggestion. John
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 09:26, Robert Schetterer wrote: > Am 03.07.2013 04:11, schrieb Stan Hoeppner: >> On 7/2/2013 8:32 PM, Professa Dementia wrote: >>> On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John >>> Let's back up a bit. This does not seem like a feature that Dovecot needs. >>> >>> Rather, what problem are you trying to solve? Maybe there is an >>> existing or better way to accomplish it. >> Based on John's recent thread on postfix-users on the same general >> subject, I'd guess he's trying to stop rouge/malicious connections. >> > so perhaps fail2ban might help, or construct something out of syslog and > iptables recent, or use dovecot deny etc > > http://wiki2.dovecot.org/HowTo/Fail2Ban > http://wiki2.dovecot.org/Authentication/RestrictAccess > http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets > > only german, but code should understandable anyway for new coding ideas > > http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > usually fail2ban is enough for brute force pop3/imap, but blocking ips > is a problem ever with nat clients > > > Best Regards > MfG Robert Schetterer > Thanks Robert, I saw that article and implemented that in fail2ban to stop repeated hammering attempts on the server from the same clients already rejected by dnsbl in postfix. I was thinking of extending the mechanism to imap/pop. John
Re: [Dovecot] dnsbl feature for dovecot
Am 03.07.2013 05:24, schrieb Professa Dementia: > On 7/2/2013 7:11 PM, Stan Hoeppner wrote: >> On 7/2/2013 8:32 PM, Professa Dementia wrote: >>> On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John >>> >>> Let's back up a bit. This does not seem like a feature that Dovecot needs. >>> >>> Rather, what problem are you trying to solve? Maybe there is an >>> existing or better way to accomplish it. >> >> Based on John's recent thread on postfix-users on the same general >> subject, I'd guess he's trying to stop rouge/malicious connections. >> > > That's my point. A self run IP blackhole list is almost useless. > Distributed RBLs are much more effective. However, existing ones are > based on spam sources, not malicious connections to POP or IMAP servers. > > Knowing the problem would be beneficial in determining a good solution. > For certain types of connection abuse, Fail2Ban works remarkably well. > But, without knowing his exact problem, it may not be the correct solution. > > Dem > i think an auto dynamic user/ip based con limit might be best , but i guess it will be difficult to implement, for this you need some log analyser counting wrong auth user/ip pairs, invoking some action on the fly , like throttle user from ip, and auto high user/ip login throttle by adjustable time periods , also there must be some whitelist possible Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] dnsbl feature for dovecot
On 03/07/13 05:24, Professa Dementia wrote: > On 7/2/2013 7:11 PM, Stan Hoeppner wrote: >> On 7/2/2013 8:32 PM, Professa Dementia wrote: >>> On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John >>> Let's back up a bit. This does not seem like a feature that Dovecot needs. >>> >>> Rather, what problem are you trying to solve? Maybe there is an >>> existing or better way to accomplish it. >> Based on John's recent thread on postfix-users on the same general >> subject, I'd guess he's trying to stop rouge/malicious connections. >> > That's my point. A self run IP blackhole list is almost useless. > Distributed RBLs are much more effective. However, existing ones are > based on spam sources, not malicious connections to POP or IMAP servers. > > Knowing the problem would be beneficial in determining a good solution. > For certain types of connection abuse, Fail2Ban works remarkably well. > But, without knowing his exact problem, it may not be the correct solution. > > Dem The point is to stop spambot connections to pop and imap (which are usually done to try and steal credentials). I already use fail2ban to stop brute force attacks but that means that each one has to be allowed to connect a specified number of times and trigger the filter. I was imagining a distributed solution which is already in use in many mtas applied also to imap and pop so that connections could be stopped from the first one. I am assuming that if there is such a feature then data is available (e.g. sorbs) or if not yet being collected that it could be done. John
Re: [Dovecot] dnsbl feature for dovecot
Am 03.07.2013 04:11, schrieb Stan Hoeppner: > On 7/2/2013 8:32 PM, Professa Dementia wrote: >> On 7/2/2013 6:21 PM, John Fawcett wrote: >>> dnsbl's are a popular method to prevent listed ips from making >>> connections to mta software. >>> >>> cf. postscreen_dnsbl_sites in postfix >>> >>> Would it be possible to introduce such a feature in dovecot, so that >>> connections can be denied >>> based on a dnsbl lookup (where the precise dnsbls used are configurable)? >>> >>> John >>> >> >> Let's back up a bit. This does not seem like a feature that Dovecot needs. >> >> Rather, what problem are you trying to solve? Maybe there is an >> existing or better way to accomplish it. > > Based on John's recent thread on postfix-users on the same general > subject, I'd guess he's trying to stop rouge/malicious connections. > so perhaps fail2ban might help, or construct something out of syslog and iptables recent, or use dovecot deny etc http://wiki2.dovecot.org/HowTo/Fail2Ban http://wiki2.dovecot.org/Authentication/RestrictAccess http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets only german, but code should understandable anyway for new coding ideas http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ usually fail2ban is enough for brute force pop3/imap, but blocking ips is a problem ever with nat clients Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 7:11 PM, Stan Hoeppner wrote: > On 7/2/2013 8:32 PM, Professa Dementia wrote: >> On 7/2/2013 6:21 PM, John Fawcett wrote: >>> dnsbl's are a popular method to prevent listed ips from making >>> connections to mta software. >>> >>> cf. postscreen_dnsbl_sites in postfix >>> >>> Would it be possible to introduce such a feature in dovecot, so that >>> connections can be denied >>> based on a dnsbl lookup (where the precise dnsbls used are configurable)? >>> >>> John >>> >> >> Let's back up a bit. This does not seem like a feature that Dovecot needs. >> >> Rather, what problem are you trying to solve? Maybe there is an >> existing or better way to accomplish it. > > Based on John's recent thread on postfix-users on the same general > subject, I'd guess he's trying to stop rouge/malicious connections. > That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers. Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution. Dem
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 8:32 PM, Professa Dementia wrote: > On 7/2/2013 6:21 PM, John Fawcett wrote: >> dnsbl's are a popular method to prevent listed ips from making >> connections to mta software. >> >> cf. postscreen_dnsbl_sites in postfix >> >> Would it be possible to introduce such a feature in dovecot, so that >> connections can be denied >> based on a dnsbl lookup (where the precise dnsbls used are configurable)? >> >> John >> > > Let's back up a bit. This does not seem like a feature that Dovecot needs. > > Rather, what problem are you trying to solve? Maybe there is an > existing or better way to accomplish it. Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections. -- Stan
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 6:21 PM, John Fawcett wrote: > dnsbl's are a popular method to prevent listed ips from making > connections to mta software. > > cf. postscreen_dnsbl_sites in postfix > > Would it be possible to introduce such a feature in dovecot, so that > connections can be denied > based on a dnsbl lookup (where the precise dnsbls used are configurable)? > > John > Let's back up a bit. This does not seem like a feature that Dovecot needs. Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Dem
Re: [Dovecot] dnsbl feature for dovecot
On 3.7.2013, at 4.21, John Fawcett wrote: > dnsbl's are a popular method to prevent listed ips from making > connections to mta software. > > cf. postscreen_dnsbl_sites in postfix > > Would it be possible to introduce such a feature in dovecot, so that > connections can be denied > based on a dnsbl lookup (where the precise dnsbls used are configurable)? You're talking about IMAP/POP3 connections? Possible, yeah .. possibly even without code changes by using tcpwrappers.
