IP drop list
Oliver Welter
mail at oliwel.de
Tue Mar 3 21:31:12 UTC 2015
Am 03.03.2015 um 12:40 schrieb Dave McGuire:
> On 03/02/2015 09:41 PM, Joseph Tam wrote:
>>>>>> then setup fail2ban to manage extrafields
>>>>>
>>>>> Now that's a very interesting idea, thank you! I will investigate
>>>>> this.
>>>>
>>>> If you don't expect yor firewall to handle 45K+ IPs, I'm not how you
>>>> expect dovecot will handle a comma separated string with 45K+ entries
>>>> any better.
>>>
>>> My firewall can handle that without breaking a sweat. I just haven't
>>> found a way (that I'm comfortable with) to automatically inject rules
>>> into it from a machine on the network.
>>>
>>> Doing it via a DNSBL is an elegant solution to the problem, IMO.
>>
>> I'm agnostic as far as which method you want to use. All I'm saying is
>> that using dovecot's allow_net facility is as difficult, if not
>> more so, than letting your firewall handle it.
>
> I'm not disagreeing with you. As I stated above, getting new rules
> into my firewall in an automated way is not something I've found a good
> way to do yet. Granted, it has been a couple of years since I've
> googled around to see if anyone has been able to do it in a reasonably
> secure way. (Perhaps it's time for me to revisit that.)
>
I did a quick hack for exactly this purpose - send offending IPs from my
mail server to the firewall "in a secure way". Its a python script that
uses the fail2ban syntax on the one end and feeds a (patched) pfSense on
the other end. You can find the scripts on github:
https://github.com/oliwel/fail2sense - be warned, its a first draft -
but it does the job here...For the unblock feature you need this patch
against pfsense https://github.com/pfsense/pfsense/pull/1444/
Oli
--
Protect your environment - close windows and adopt a penguin!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4074 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150303/33854d1d/attachment.p7s>
More information about the dovecot
mailing list