On 03/02/2015 02:38 AM, Oliver Welter wrote:> Guys, dovecot is open source - if you desire a feature that the upstream > programmer did not include, pay him a bounty to do so or send him a > patch to be included. Period. We can discuss and mightbe somebody will > fork if he is not willing to accept such a solutuion for any political > reason. > > I am really tired of reading this kind of complaints on OSS lists.....and this is perhaps the second most predictable knee-jerk response. I am certainly capable of writing such a patch, but there is no point in expending the effort if it would not be included in the code base. The extreme negative reactions to this idea from people in this community, every time it has come up over the years, with almost rabid ramming of fail2ban down posters' throats (Benny Pedersen's excellent suggestion not included) suggests that a patch implementing such functionality would not be well received. The idea here is not to whine until somebody pops up and assumes that I don't know how the open-source software world works. I assure you that I do. The idea is to mention, vocally, a different use case in which fail2ban (again, excepting Benny Pedersen's excellent suggestion) is not an appropriate solution, as many times as it takes to make people realize that some networks aren't exactly like theirs. In the 1980s and 1990s, we fought the great assumption of "all the world's a VAX running BSD", in which programmers everywhere wrote code that assumed EVERYONE was running that platform. Today we fight the "all the world's an x86_64 box with a gazillibyte of memory running Linux" mentality in exactly the same way. It's not any more palatable now than it was then. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 2 Mar 2015, Dave McGuire wrote:> On 03/02/2015 02:38 AM, Oliver Welter wrote: >> Guys, dovecot is open source - if you desire a feature that the upstream >> programmer did not include, pay him a bounty to do so or send him a >> patch to be included. Period. We can discuss and mightbe somebody will >> fork if he is not willing to accept such a solutuion for any political >> reason. >> >> I am really tired of reading this kind of complaints on OSS lists. > > ....and this is perhaps the second most predictable knee-jerk response. > > I am certainly capable of writing such a patch, but there is no point > in expending the effort if it would not be included in the code base. > The extreme negative reactions to this idea from people in this > community, every time it has come up over the years, with almost rabidNeither Timo nor dovecot.fi did responded with "use fail2ban", if I remember correctly. I actually wonder, why nobody replied with: "this is what tcpwrapper is for" :-) http://wiki2.dovecot.org/LoginProcess?highlight=%28tcp+wrapper%29 what had been ruled out by the OP with a conditional *if*. If you for instance add a passdb{} driver, that does not interfere with the remaining code base (much), so one can use: passdb { driver = ipdeny args = <host>/matchpattern/action .... *** } in front of any other passdb{}. *** some sort of notation to configure IP source, matching and reaction. If such plugin(?) is available, I would expect immediate complains, it does not support: + local file lists with various sets of syntaxes + RBLs with a fine grained response matching + use the same RBL response for multiple match-action pairs + have it depended on protocol (POP3, IMAP, ManageSieve, ...) + have it depended on user (use that passdb for all-but or just-these) + have it to kick in after certain user-protocol-count-time patterns only There is this, too: http://article.gmane.org/gmane.mail.imap.dovecot/61570 http://article.gmane.org/gmane.mail.imap.dovecot/42512 Maybe an addition to the penalty service would be OK as well. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVPQoIXz1H7kL/d9rAQLHWwgAs+8TAw7i3qerJQHXD4GSDO0jPCDtqGg3 660CMHCilWNYP+AwM/wxRbBkhz6rtTZrMa3BjLlHo3jnc/kNnJu8YdPCiolQCiWX enU5576oeCikWcAQG/BJxrRTCtHVjzhenu/skCazD8vKncIUlJtn+kiAqpGC3NPe IAJg2FvZ0wgI+bzecZHFktVT8TF0JWtd8FNkD83rOJvNUW7ECrzyAMSUKQ+X54GH 6vcto6eeERY3DKpf/xUs1QBM/Pee1gdMTFU4clW2u9QZLf1aKuNaEVBAx4BaI5Ti hzL/UIXZ0+qHehxNCIyTFx0t4MZsPfJg9/dS3t2vmX9efSUFxe9bgg==XjPT -----END PGP SIGNATURE-----
Am 02.03.2015 um 10:06 schrieb Steffen Kaiser:> If such plugin(?) is available, I would expect immediate complains, it > does not support: > > + local file lists with various sets of syntaxes > + RBLs with a fine grained response matching > + use the same RBL response for multiple match-action pairsor it could work just with no config, unconditional and in front of any authentication, frankly even without any response - connection -> RBL check -> close connection, done hence RBL's make sense in the core because *in front* of any other protocol specific code -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/b2ba9325/attachment.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steffen Kaiser wrote:> passdb { driver = ipdeny args = <host>/matchpattern/action .... > *** } >With next passdb{} as 1st in chain: passdb { driver = checkpassword args = "/tmp/chktst ip=%r service=%s" result_success = continue result_failure = return-fail } and this script BEGIN /tmp/chktst #!/bin/bash echo "$@" >>/tmp/chktst.log # return OK exit 0 # return FAIL exit 1 END I get the log entry: ip=127.0.0.1 service=imap /usr/local/dovecot-2.2.15/libexec/dovecot/checkpassword-reply and with exit 0, the next passdb{} let me login, and with exit 1, all logins fail. So, with the current stock Dovecot you can make RBL calls and decissions with a script. ;-) - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQEVAwUBVPjOlXz1H7kL/d9rAQIDFggAtDGl8rgN3zpOa8QQ1JVgVne5alAzBShN JfWm/4rDLBqPfAeqLX8OGUja19dxru0rJFAZPr673v7I4GfGVu2XHgEFV7qWag/m r32B//ADgvyBc0hwYOy2IQ4Zc2BW7K7Xx9hvbA5ZzmlDwbkIg1fBQ8SDHP7EoPso Io/OD8ADvyGJf0RC6lDF+shhpu1mPGg9YVx+jiUD2EOlnq06JDo51sbaQ0BUGfK3 3TmiWr+yFLALrJAYTkoNbonGioGwPPfSqGwmj5/l0ch4N/k9vAf06IbNyFYTzqh+ apjDUNrTVzTnlUeeadoFNDpqkNCGpZDfEe/C/OImxsmNwQoe9fXjbg==NQ5g -----END PGP SIGNATURE-----