On 12/04/2019 08:42, Aki Tuomi via dovecot wrote:> On 12.4.2019 10.34, James via dovecot wrote: >> On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: >> >>> Weakforced uses Lua so you can easily integrate DNSBL support into it. >> How does this help Dovecot block? >> A link to some documentation or example perhaps? >> >> > https://wiki.dovecot.org/Authentication/Policy > > You can configure weakforced to return status -1 when DNSBL matches, > which causes the user authentication to fail before any other processing > happens.Thank you. I will study this - although I dispute your "easily"! James.
Hi, What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot. MJ On 4/12/19 10:27 AM, James via dovecot wrote:> On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: >> On 12.4.2019 10.34, James via dovecot wrote: >>> On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: >>> >>>> Weakforced uses Lua so you can easily integrate DNSBL support into it. >>> How does this help Dovecot block? >>> A link to some documentation or example perhaps? >>> >>> >> https://wiki.dovecot.org/Authentication/Policy >> >> You can configure weakforced to return status -1 when DNSBL matches, >> which causes the user authentication to fail before any other processing >> happens. > > Thank you.? I will study this - although I dispute your "easily"! > > > > James. >
On Fri, 12 Apr 2019, mj wrote:> What we do is: use https://github.com/trick77/ipset-blacklist to block IPs > (from various existing blacklists) at the iptables level using an ipset."www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists?> That way, the known bad IPs never even talk to dovecot, but are dropped > immediately. We have the feeling it helps a lot.Really helps with uber-stupid BFD attacks that pound our plaintext ports even though Dovecot repeatedly responds with -ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. xx NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections. The irony is that even if it blunders onto a usable password, they wouldn't know it. Joseph Tam <jtam.home at gmail.com>