RFE: dnsbl-support for dovecot
Giles Coochey
giles at coochey.net
Tue Jun 17 17:43:44 UTC 2014
On 17/06/2014 18:16, Reindl Harald wrote:
> after having my own dnsbl feeded by a honeypot and even
> mod_security supports it for webservers i think dovecot
> sould support the same to prevent dictionary attacks from
> known bad hosts, in our case that blacklist is 100%
> trustable and blocks before SMTP-Auth while normal RBL's
> are after SASL
>
> i admit that i am not a C/C++-programmer, but i think
> doing the DNS request and in case it has a result block
> any login attemt should be not too complex
>
> setup a own honeypot and feed rbldnsd with the sources
> is quite easy and in case of a own, trustable RBL where
> no foreigners report somebody by mistake it's relieable
> and scales well over many machines and services as long
> services supporting it
>
> mod_security:
> http://blog.inliniac.net/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists/
>
If you have the bllist as a file then you may as well drop with iptables
(in Linux) or ipfw (BSD).
Use an IP tool for an IP block, not the application.
Spamhaus project has a kind of script for this type of thing:
http://www.spamhaus.org/faq/section/DROP%20FAQ
I'm quite happy to use fail2ban, yes - dovecot has to handle a few
failed logins for each blocked IP, but it works for me and pretty much
mitigates the attack.
--
Regards,
Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6454 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140617/e3965619/attachment.p7s>
More information about the dovecot
mailing list