Sv: 2FA/MFA with IMAP & postfix/submission
Rick Romero
rick at havokmon.com
Thu Jul 15 19:58:09 EEST 2021
Quoting Benny Pedersen <me at junc.eu>:
> On 2021-07-15 16:49, Alex wrote:
>
>> What about something like what we used to do with pop-b4-smtp to at
>> least restrict by IP address?
>
> no, pop was not handle million of users share one single nat ip,
> weekforce cant handle that either, so allow_net cant do any better
> there
Well no, but I thought the problem to be solved was 'prevent
compromised credentials from abusing SMTP'. Certs do that, but with
high overhead.
OTOH, going off Alex's suggestion, you could tie the IMAP or POP Auth
into an iptables rule that allows that IP to use SMTP for x minutes.
Basically, the opposite of fail2ban - 'auth2allow' :)
You could probably use fail2ban, just adjust the log regex's and the
action appled.
The odds of an abuser coming from the same IP are pretty slim, and if
the system itself is compromised, they're going to have the cert
anyways.
In my experience, most clients do SMTP after the POP or IMAP check..
I'd expect issues to be minimal.
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210715/dbb3884b/attachment.html>
More information about the dovecot
mailing list