[Dovecot] dnsbl feature for dovecot

Professa Dementia professa at dementianati.com
Thu Jul 4 00:45:51 EEST 2013


On 7/3/2013 2:30 PM, Joseph Tam wrote:

> Brute force attempts are more intense, so I think these rules can be
> set harder to not risk plunking your users into blacklist hell.  Also,
> some common role account (that don't exist on my system e.g. "admin")
> will trigger an immediate blacklist here -- an easy way to shortcut
> the process.

Certainly, set the rules to whatever works for your system.  My example
is just what I used and it worked well for me.

Your example is why I specified that an attempt to login as a blocked
account does *not* extend the blocking time.  Otherwise, you run the
risk of a rolling block that goes on forever.

Why are users on your system entering bad passwords all the time?  Every
major mail client can save passwords in a reasonably secure format so
the feeble minded human is free of that burden.  Even with webmail, the
browser generally can save passwords.  In fact, I feel this is safer.
It eliminates keystroke loggers from getting the password.

It also makes it easier to enforce strong passwords.  If the user had to
type in a 16 character strong password each time (such as
HjY6##k,F8Dl9sy1), many of them would certainly complain loudly and
often.  However, if the user can enter that password once into their
chosen software and not have to remember it again, you get good
protection from brute force attacks and happy users.  Typing a password
once is much easier than even typing "cat" 50,000 times over the course
of several years.

Dem



More information about the dovecot mailing list