similar to: Any way to let dovecot block pop3 attempts?

Hi, we have customers with Exchange servers that are polling for new mail every minute with dozens of pop3 accounts. I am looking for a mechanism to rate limit this per user. So what I am looking for is a way to block users from polling, if a user asks for new mail more than every 5 minutes (for example). Is this possible? Can this be achieved within Dovecot or does it need external scripting?

Does Dovecot have a facility to block pop3 and imap logins by IP address. I usually do this by putting the IPs in my border firewall, but it's in transition currently to a new one, and I'd like to end connection fairly fast. If it matters, I'm using 2.0.9. Thanks steve campbell

I was looking at my maillog and it looks like someone is trying to get into my pop3 server. Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 Dec 9

I'm running fail2ban to attempt to block malicious brute-force password dictionary attacks against ssh. They seem to be rolling through a block of ip addresses as the source to defeat this kind of screening, so I've set some ip addresses to be blocked in iptables. Here is the output of iptables -L (edited): Chain INPUT (policy ACCEPT) target prot opt source destination

I'm running Centos 7.8.2003, with firewalld. I was getting huge numbers of ssh attempts per day from a few specific ip blocks. The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day. I installed and configured fail2ban, but still saw a lot of attempts in the logs, and the ipset created was

Hello, We are running dovecot 1.0.5 on a test server, with FreeBSD 6.2 (though I have noticed the same problem since dovecot versions in the 0.99 range). We don't have very many simultaneous pop/imap users, but we have a proliferation of pop3-login processes. Currently we have 128 such processes. We have 11 imap-login processes, but only a few actual imap processes running. Is this normal?

I would like to have a list of IPs (hacker list) that I can do a lookup on so that if anyone tries to authenticate to dovecot they always fail if they are on my list. I have the list - and the list is available as a DNS blacklist. I'd like to have it work with both local IP lists or RBL lookup. The idea is so hackers from known IP addresses never succeed. If Dovecot provides the feature

Hello list, I have found imap_allowed option in dovecot which do exactly what I need, for imap. Is there something similar for pop3 protocol? The main goal for it - is to enable pop3 access to specific users. Or maybe dovecot have some 'pop3=yes' or 'imap=no' args to userdb/passdb sections ? I know future dovecot 2.* versions will support rewriting for protocols, but this is

Hi, using PAM, how can I configure how many attempts a user can make to connect, and if exceeding a certain number, block him for a specified amount of time? Any idea what the defaults are?

I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure ........ Why is dovecot involved in my smtp processes and how do I fix this. I've

Hope to get some attention about this idea to reduce hacking passwords. Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH http://ipadmin.junkemailfilter.com/auth-hack.txt This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no authentication. We do front end spam filtering for thousands of

My LAN is behind a Netgear router, which does NAT. On the CentOS server I have fail2ban running. This morning my router reported 3 different IPs attempting to send UDP packets to port 38950, Since each address is only seen 4-5 times, I presume that fail2ban took over after that. GRC reports that ports are stealthed (port 143 was open, but is now closed), but then: Unsolicited Packets:

I hate to use that "noob" word, but in this case I think it might be proper. Our company is getting ready to get rid of Netware and start using Samba. It will require that users log in and by doing so, have a login script map drives to particular drive letters base on either their user or group. I've been administering Centos servers for quite a while. I have no problem with

Has anyone implemented a script to block IPs which are attacking on POP3 ports using dovecot logs to indicate repetitive failed login attempts? sshblack does this nicely for ssh (port 22) attacks by monitoring the /var/log/secure file. I am considering rewriting this to POP3 port (110), but if it has already been done, I sure don't need the practice. Thanks!

Hello, I have all userdata in a ldapserver. Every user has the right to use pop3. There is no explicit attribute allowing that. It's simply possible. Now I like to add imap. For a starting period I like to restrict, who may use imap. http://wiki2.dovecot.org/Authentication/RestrictAccess mention a solution where I could modify ldap pass_filter. But that require an attribute

I have some users that I will not allow to use POP3 thru my system, but force them to use webmail. Would it be possible to put an extra option in dovecot.conf to force this: # ----------------------------------------------------------------- # Logon processes # user = <username>,<password> # ----------------------------------------------------------------- user =

Hello: I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5. I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org >From what I see, DenyHosts only blocks based on failed SSH attempts whereas Fail2ban blocks failed attempts for other access as well. The main benefit

Hi Guys, I was really hoping a couple of years later this would be addressed... I'm running Dovecot 2.2.5 on FreeBSD. Is there anyway to limit the number of auth attempts allowed in a single session? The reason for this is because I have "fail2ban" setup to firewall out any IP addresses that repeatedly auth fails. The issue occurs when the connection is already in an

Hello list. I have a question for fail2ban for bad logins on sasl. I use sasl, sendmail and cyrus-imapd. In jail.conf I use the following syntax: [sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=my at email] logpath = /var/log/maillog maxretry = 6 and the following filter:

Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does