Dave McGuire writes:>>>> then setup fail2ban to manage extrafields >>> >>> Now that's a very interesting idea, thank you! I will investigate this. >> >> If you don't expect yor firewall to handle 45K+ IPs, I'm not how you >> expect dovecot will handle a comma separated string with 45K+ entries >> any better. > > My firewall can handle that without breaking a sweat. I just haven't > found a way (that I'm comfortable with) to automatically inject rules > into it from a machine on the network. > > Doing it via a DNSBL is an elegant solution to the problem, IMO.I'm agnostic as far as which method you want to use. All I'm saying is that using dovecot's allow_net facility is as difficult, if not more so, than letting your firewall handle it. Joseph Tam <jtam.home at gmail.com>
On 03/02/2015 09:41 PM, Joseph Tam wrote:>>>>> then setup fail2ban to manage extrafields >>>> >>>> Now that's a very interesting idea, thank you! I will investigate >>>> this. >>> >>> If you don't expect yor firewall to handle 45K+ IPs, I'm not how you >>> expect dovecot will handle a comma separated string with 45K+ entries >>> any better. >> >> My firewall can handle that without breaking a sweat. I just haven't >> found a way (that I'm comfortable with) to automatically inject rules >> into it from a machine on the network. >> >> Doing it via a DNSBL is an elegant solution to the problem, IMO. > > I'm agnostic as far as which method you want to use. All I'm saying is > that using dovecot's allow_net facility is as difficult, if not > more so, than letting your firewall handle it.I'm not disagreeing with you. As I stated above, getting new rules into my firewall in an automated way is not something I've found a good way to do yet. Granted, it has been a couple of years since I've googled around to see if anyone has been able to do it in a reasonably secure way. (Perhaps it's time for me to revisit that.) -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
Am 03.03.2015 um 12:40 schrieb Dave McGuire:> On 03/02/2015 09:41 PM, Joseph Tam wrote: >>>>>> then setup fail2ban to manage extrafields >>>>> >>>>> Now that's a very interesting idea, thank you! I will investigate >>>>> this. >>>> >>>> If you don't expect yor firewall to handle 45K+ IPs, I'm not how you >>>> expect dovecot will handle a comma separated string with 45K+ entries >>>> any better. >>> >>> My firewall can handle that without breaking a sweat. I just haven't >>> found a way (that I'm comfortable with) to automatically inject rules >>> into it from a machine on the network. >>> >>> Doing it via a DNSBL is an elegant solution to the problem, IMO. >> >> I'm agnostic as far as which method you want to use. All I'm saying is >> that using dovecot's allow_net facility is as difficult, if not >> more so, than letting your firewall handle it. > > I'm not disagreeing with you. As I stated above, getting new rules > into my firewall in an automated way is not something I've found a good > way to do yet. Granted, it has been a couple of years since I've > googled around to see if anyone has been able to do it in a reasonably > secure way. (Perhaps it's time for me to revisit that.) >I did a quick hack for exactly this purpose - send offending IPs from my mail server to the firewall "in a secure way". Its a python script that uses the fail2ban syntax on the one end and feeds a (patched) pfSense on the other end. You can find the scripts on github: https://github.com/oliwel/fail2sense - be warned, its a first draft - but it does the job here...For the unblock feature you need this patch against pfsense https://github.com/pfsense/pfsense/pull/1444/ Oli -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150303/33854d1d/attachment.p7s>