dovecot - Mar 2009 - Account lockout option?

I'm currently using postfix and dovecot, with dovecot authentication 
(with saslauthd) using mysql for accounts

Is there any option available for me to help inhibit/prevent 
brute-force login attempts?

Thx.

Rick


Rick Steeves
http://www.sinister.net

"The journey is the destination"

> Is there any option available for me to help inhibit/prevent 
> brute-force login attempts?
I (and many others) use fail2ban.  It works outside of dovecot, et al, 
by tailing your log files.  When it finds a configurable number of 
failed attempts in a configurable time window, it blocks the remote IP 
address for a configurable amount of time.  It can protect you against a 
lot more than failed email login attempts.  I'm quite happy with it.  I 
typically turn back several brute force SSH login attempts every day.  I 
also have it watching my dovecot logins, but so far don't get many 
attempts there.

WJCarpenter wrote:
>
>> Is there any option available for me to help inhibit/prevent 
>> brute-force login attempts?
>
> I (and many others) use fail2ban.  It works outside of dovecot, et al, 
> by tailing your log files.  When it finds a configurable 

Just to document that solution.  This watches postfix AND dovecot logs 
since I found botnets slowly trying both alternately.


Create filter.d/mail.conf

 >>>>>>>>>>>>>>>>>
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag 
"<HOST>" can
#          be used for standard IP/hostname matching and is only an 
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Match:
# Mar  2 15:07:09 mail1 dovecot: auth(default): 
digest-md5(blah at asdf.com,212.183.136.194): password mismatch
# Feb 26 19:32:52 mail1 dovecot: auth-worker(default): 
sql(blah at asdf.com,212.227.250.38): unknown user
# Mar  2 14:45:16 mail1 postfix/smtpd[27401]: warning: 
c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed:
#
failregex = : warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password
mismatch)$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex 
>>>>>>>>>>>>>>>>>>


Then in jail.conf add lines like:

[mail-iptables]

enabled  = true
filter   = mail
action   = iptables-multiport-log[name=mail, 
port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp]
           sendmail-whois[name=mail, dest=postmaster at yourdomain.com, 
sender=fail2ban at yourdomain.com]
logpath  = /var/log/mail.log
bantime  = 3600



Hope this helps

Ed W

Ed W wrote:
> failregex = : warning: [-._\w]+\[<HOST>\]: SASL
> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
> failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password
mismatch)$
Ed, have you found that both failregex lines are actually being used
here, as in my experience, only the first failregex line is used?

Maybe this has changed in the most recent version of fail2ban, but I
have found that I had to create a separate filter file if I wanted to
used a second failregex against the same log file and also add a second
jail.conf entry.

Bill