[Dovecot] penalty configuration and proxy servers

Timo Sirainen tss at iki.fi
Fri Mar 4 18:54:56 EET 2011


On Fri, 2011-03-04 at 12:16 +0200, Mark Zealey wrote:

> I've had a look through the wiki and a quick look through the source for 
> penalty configurations (dovecot 2.0.9) but I've not found anything to do 
> with configuration options for this functionality. I'm basically wanting 
> to disable a particular host/subnet from the penalty setup. In our case 
> we have some webmail servers that do get attacked however most of the 
> traffic is legitimate so I'd rather that the user experience was faster 
> (ie not having a few seconds of delay on login) than that we slowed down 
> attacks from them.

http://hg.dovecot.org/dovecot-2.0/rev/bf6749d4db08
http://hg.dovecot.org/dovecot-2.0/rev/73cad87e2045

And set login_trusted_networks = webmail

> On a similar note; is it possible to do the per-ip login limit in the 
> auth level rather than the imap/pop level? I ask this as we've just 
> implemented a proxy setup whereby we have two frontend proxy servers 
> that then dispatch to backend servers specified in the database. So, the 
> backend servers do the actual imap/pop sessions however we now don't see 
> the remote ip addresses so it becomes difficult to limit abusive users.

Add proxy IPs to login_trusted_networks and this problem goes away.

> The 'doveadm who'/process listing code also doesn't work on the proxy 
> servers even though dovecot knows who logged in and forwards the 
> connection through to the backend servers.

After setting login_trusted_networks you can do this on the backend
servers and they show the user's real IP. doveadm who isn't supposed to
work in proxy servers and I'm not sure if it ever will.



More information about the dovecot mailing list