Nick Edwards writes:
> I thought Timo once said dovecot had tarpitting, its useless if it is
> there, and if it is, it needs user configurable timings, or maybe its
> one of those things thats been in the gunna happen list
> for a long time, like other stuff
If I remember correctly, I think this was the "auth_failure_delay"
feature. However, these delays are only inserted into the same
session -- no IP tracking is done so a BFD attacking host can just
keep opening up new connections.
Dave McGuire writes:
>>>> Please add this support to iptables instead of Dovecot.
It's a
>>>> waste of effort to code it into every application that listens
on
>>>> the network.
>>>
>>> <head explodes>
>>>
>>> Would you care to integrate it into IOS on my Cisco as well?
>>>
>>> There are things connected to the Internet that aren't PCs
running
>>> Linux, you know. It may be hard to accept, but that's the way
it is.
>>>
>> I assume your dovecot runs on some kind of *nix
>
> Of course. I run it under Solaris.
Oddly enough, if you run some versions of Solaris, it uses IPFilter
as the native firewall, and it *does* have userland hooks so that you
can make pass/block decisions based on userland executable. Not well
documented though (see auth rules).
You would need a firewall rule like
auth in proto tcp from any to any port = 143 flags S/SA keep state
then write a program that does ioctl(ipauth) calls to inspect and
accept/reject packets; not for the faint of heart. However, you can use
whatever weird and wonderful methods you want to determine IMAP/POP/SMTP
network access policy, including DNSRBL or parsing a text file.
This thread seems to be spinning into non-dovecot subjects, and I'm not
helping, so I'll stop.
Joseph Tam <jtam.home at gmail.com>