On 03/01/2015 04:25 AM, Reindl Harald wrote:>> I wonder if there is an easy way to provide dovecot a flat text >> file of ipv4 #'s which should be ignored or dropped? >> >> I have accumulated 45,000+ IPs which routinely try dictionary >> and 12345678 password attempts. The file is too big to create >> firewall drops, and I don't want to compile with wrappers *if* >> dovecot has an easy ability to do this. If dovecot could parse a >> flat text file of IPs and drop connections it would sure put a >> dent in these attempts. > > hence i asked month ago for RBL support because such lists are easy > to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no > reply than use fail2ban and what not irrelevant if there is already > a local dnsbl > > i guess for a C-programmer it takes not much more than 10 minutens > include a config option to list rbl servers and close connections > absed on the DNS responsesI've been asking for this off-and-on for years, and people immediately parrot back "just use fail2ban". I think fail2ban is a nice idea and all, but that suggestion assumes that I use iptables (I don't), I run firewalls on my servers (I don't; I run them on routers) and that I run Linux on my mail server (I don't). The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
Am 01.03.2015 um 23:16 schrieb Dave McGuire:> On 03/01/2015 04:25 AM, Reindl Harald wrote: >>> I wonder if there is an easy way to provide dovecot a flat text >>> file of ipv4 #'s which should be ignored or dropped? >>> >>> I have accumulated 45,000+ IPs which routinely try dictionary >>> and 12345678 password attempts. The file is too big to create >>> firewall drops, and I don't want to compile with wrappers *if* >>> dovecot has an easy ability to do this. If dovecot could parse a >>> flat text file of IPs and drop connections it would sure put a >>> dent in these attempts. >> >> hence i asked month ago for RBL support because such lists are easy >> to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no >> reply than use fail2ban and what not irrelevant if there is already >> a local dnsbl >> >> i guess for a C-programmer it takes not much more than 10 minutens >> include a config option to list rbl servers and close connections >> absed on the DNS responses > > I've been asking for this off-and-on for years, and people > immediately parrot back "just use fail2ban". I think fail2ban is a > nice idea and all, but that suggestion assumes that I use iptables (I > don't), I run firewalls on my servers (I don't; I run them on routers) > and that I run Linux on my mail server (I don't). > > The other side of this equation, Postfix, has had this capability > for years. Why it hasn't been added to dovecot is a mystery. It's > the only thing (really, the ONLY thing!) that I dislike about dovecoteven if you use Linux, Firewalls and what not * postfix supports RBL's in several ways on the MTA * mod_security and so webservers support RBL's * RBL's are *centralized* * DNS queries, especially in a LAN, are cheap everybody answering with fail2ban if someone asks for RBL support has no clue what he is talking about because he did not get the question -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150301/3d11037d/attachment-0001.sig>
> The other side of this equation, Postfix, has had this capability > for years. Why it hasn't been added to dovecot is a mystery. It's > the only thing (really, the ONLY thing!) that I dislike about dovecot.http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets then setup fail2ban to manage extrafields
Am 01.03.2015 um 23:16 schrieb Dave McGuire:> On 03/01/2015 04:25 AM, Reindl Harald wrote: >>> I wonder if there is an easy way to provide dovecot a flat text >>> file of ipv4 #'s which should be ignored or dropped? >>> >>> I have accumulated 45,000+ IPs which routinely try dictionary >>> and 12345678 password attempts. The file is too big to create >>> firewall drops, and I don't want to compile with wrappers *if* >>> dovecot has an easy ability to do this. If dovecot could parse a >>> flat text file of IPs and drop connections it would sure put a >>> dent in these attempts. >> >> hence i asked month ago for RBL support because such lists are easy >> to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no >> reply than use fail2ban and what not irrelevant if there is already >> a local dnsbl >> >> i guess for a C-programmer it takes not much more than 10 minutens >> include a config option to list rbl servers and close connections >> absed on the DNS responses > > I've been asking for this off-and-on for years, and people > immediately parrot back "just use fail2ban". I think fail2ban is a > nice idea and all, but that suggestion assumes that I use iptables (I > don't), I run firewalls on my servers (I don't; I run them on routers) > and that I run Linux on my mail server (I don't). > > The other side of this equation, Postfix, has had this capability > for years. Why it hasn't been added to dovecot is a mystery. It's > the only thing (really, the ONLY thing!) that I dislike about dovecot. >Guys, dovecot is open source - if you desire a feature that the upstream programmer did not include, pay him a bounty to do so or send him a patch to be included. Period. We can discuss and mightbe somebody will fork if he is not willing to accept such a solutuion for any political reason. I am really tired of reading this kind of complaints on OSS lists. To make this not a "troll only" posting - it might be an suitable approach to let dovecot listen on the lo interface and put a proxy software in front, that supports RBLs. Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/39534877/attachment-0001.p7s>
On 03/01/2015 06:34 PM, Benny Pedersen wrote:>> The other side of this equation, Postfix, has had this capability >> for years. Why it hasn't been added to dovecot is a mystery. It's >> the only thing (really, the ONLY thing!) that I dislike about dovecot. > > http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets > > then setup fail2ban to manage extrafieldsNow that's a very interesting idea, thank you! I will investigate this. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
On 03/02/2015 02:38 AM, Oliver Welter wrote:> Guys, dovecot is open source - if you desire a feature that the upstream > programmer did not include, pay him a bounty to do so or send him a > patch to be included. Period. We can discuss and mightbe somebody will > fork if he is not willing to accept such a solutuion for any political > reason. > > I am really tired of reading this kind of complaints on OSS lists.....and this is perhaps the second most predictable knee-jerk response. I am certainly capable of writing such a patch, but there is no point in expending the effort if it would not be included in the code base. The extreme negative reactions to this idea from people in this community, every time it has come up over the years, with almost rabid ramming of fail2ban down posters' throats (Benny Pedersen's excellent suggestion not included) suggests that a patch implementing such functionality would not be well received. The idea here is not to whine until somebody pops up and assumes that I don't know how the open-source software world works. I assure you that I do. The idea is to mention, vocally, a different use case in which fail2ban (again, excepting Benny Pedersen's excellent suggestion) is not an appropriate solution, as many times as it takes to make people realize that some networks aren't exactly like theirs. In the 1980s and 1990s, we fought the great assumption of "all the world's a VAX running BSD", in which programmers everywhere wrote code that assumed EVERYONE was running that platform. Today we fight the "all the world's an x86_64 box with a gazillibyte of memory running Linux" mentality in exactly the same way. It's not any more palatable now than it was then. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
Am 02.03.2015 um 08:38 schrieb Oliver Welter:> I am really tired of reading this kind of complaints on OSS lists.and because it's free everybody has to shut up? that's your defintion of free? your definition is broken? as said on a other list: if the developer of the OSS sais "listen, i am not that interested but if you pay me ? xyz i would include it" the chances are good that one or more people sponsor it - ignore or complain about feature requests don't help that mich -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/1939d97d/attachment.sig>