(I think I am testing other readers' patience, so if you want to
follow-up, you can Email me directly.)
> but how often do you have to type your username ?
Not often, but I'm not talking the typical case. The larger the
population you serve, the more circumstances you'll have to cover.
> Only on the initial config of your mailer. After that you are done.
Mail reader setups by users is often an error prone process, judging
from the number of times I have to correct a setup. This is especially
true for an educational institution that typically has a large turnover
of accounts.
If a user gets it initially wrong, then fixes their mistake, they
can't get it to work despite trying all sorts of config variations,
not realizing it can't be resolved anymore. Result: trouble call.
If someone blows it setting on a multi-user workstation, other users
with a working setups can't log in. Result: trouble call.
If a student flubs their credentials, all the roommates behind their
residential NAT gateway suffer. Result: trouble call.
If a user screws up using an external service that slurps their mail
(e.g. Gmail, Yahoo, uniboxapp, etc.), or worse, someone malicious does
it on puropse, all other users of this service will be DoS'd. Result:
trouble call(s).
If a user acquires a DHCP address in a polluted network ..., well you
get the idea.
Not to mention ex-users who forget to remove their mail accounts from
their smartphones, leaving a trail of blacklist entries in their wake
as they travel from coffee shops to other public WiFi hotspots.
> So this is why I decided to use two distinct jails with
> different policies. It seems to work reasonable well.
Until it doesn't. If it works for you, more power to you.
The cost/benefit of a hair-trigger blacklist policy is that it saves
you a few log entries showing futile attempts at finding weak passwords
(because you have strong passwords, don't you?) at the risk of dealing
with any of the above situations.
Joseph Tam <jtam.home at gmail.com>