mj <lists at merit.unu.edu> wrote:
> - for external users, to ONLY be allowed to use an application specific
> password. (or username and password, fine as well)
>
> Step one: making ldap password authentication valid only from our
> internal network. I though: using allow_nets=192.168.1.0/24 for that passdb
>
> But I can't get that to work. :-( Unsure where exactly to define the
> allow_nets, tried many variations on the theme already.
>
> Perhaps someone can help with the step one, and also tell me if the
> approach outlined above is smart, valid and do-able in dovecot.
As per my post: checkpassword. You can then use one password on Mondays,
Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
fetched from a rot-13 database, and only from prime numbered IP addresses
on weekends, if that's what you want.
Gary Sellani <lists at lazygranch.com> writes:
> Not applicable to most installations, but I use geographical filtering
> on all ports other than 25. Fine if you are the only user of the email
> system.
If you're the only user, moving the IMAP/POP service to a nonstandard port
will do most of that with much less bother, and you won't lock yourself
out, requiring a ssh/edit firewall/reconnect. Been there, done that.
> I get one hacker a week trying to guess passwords, and always from Digital
Ocean VPS.
abuse at digitalocean.com is fairly responsive. They usually nuke
them pretty quickly.
> I would like to see statistics on the success of such brute force
> attacks. They can't be very successful these days.
Even if the success rate is 0.00001%, you can do the arithmetic to see
that's still a huge number of accounts. But you're right, if you have
anything resembling a sensible password policy, they're just a log
bloating nuisance.
Joseph Tam <jtam.home at gmail.com>