[Dovecot] dovecot security with IPv6

Willie Gillespie wgillespie+dovecot at es2eng.com
Thu Jun 23 20:46:52 EEST 2011


On 06/23/2011 02:23 AM, Kārlis Repsons wrote:
> Hi Timo, hi all others!
>
> In fact, I've only read one person claiming that IPv6 support opens up
> "too many backdoors" [1], but anyway, as I intend to run just
> particular services, please give me your opinion if it's insecure to
> have a dovecot server, which is accessed through a public IPv6
> address...
> (or note just shortly what else could give a firm ground to such claims...)
>
> [1] http://forums.gentoo.org/viewtopic-t-882557.html

I can't think of any backdoors introduced in IPv6.  The trouble I 
foresee with IPv6 and email won't concern Dovecot, but some spam filtering.

Since the IPv6 address space is large, people can't expect to be 
successful by blocking spammers IP addresses one-by-one.  Instead they 
will end up blocking entire subnets if that's a route they choose to go.

I know that Dovecot slows down/delays login attempts with multiple 
authentication failures.  I guess the question to ask is whether this is 
source IP-based, or user name-based, or both.  Anyone know the answer to 
this?

If it's source IP-based, then if I was an attacker with an IPv6 subnet 
assigned to me, I would just come at it with a different IP address each 
time to avoid the slowdown.

In short, that's the only real potential issue I could see.

Willie


More information about the dovecot mailing list