Is this safe?

Jaroslaw Rafa raj at rafa.eu.org
Thu Aug 25 15:30:28 UTC 2022 

Dnia 25.08.2022 o godz. 10:48:47 dovecot at ptld.com pisze:
> 
> Now for my 2 cents;
> Why? Not all clients keep active connections open to IMAP between fetching mail and then sending to submission.
> Postfix can validate user/pass credentials with dovecot when accepting mail for submission.
> Why add extra moving parts to your system instead of just using the built in auth checking for submission mail?

Why? Exactly to not allow the connecting client to even go to AUTH phase if
it's not a "regular" user accessing mail on this server.

My server is a very small server and from what I see in the logs, all mail
clients that connect to it open IMAP connection first and then keep it
opened throughout the session. If you know of a commonly used client that
does not behave this way, please let me know - I will try it.

Of course I do use AUTH checking via Dovecot in Postfix, but the intent is -
as I mentioned above - to don't even proceed to the AUTH phase.

Recently I experience authentication attacks that are highly distributed. 
There are almost no IP addresses that repeat, so I can't use fail2ban or
other method to block "repeated offenders", as there are none :). It looks
so that some IP address is connecting to submission service, tries AUTH on
some user, and disconnects. Then another IP connects and is trying the
same, *on the same user*. And the last part is what worries me. Until now
I have seen a lot of AUTH attacks but these were against random usernames
that didn't even exist on my server. But now they started targeting actual
users. So there is a chance they will possibly crack a password if this will
continue for a long time.

While I see these attacks on submission service, on the contrary I see
virtually no attempts to actually login into the IMAP service (except
legitimate users of course). Hence the idea for checking IMAP-before-SMTP :).
SMTP AUTH is of course still in place, this is just an extra step that
rejects the connection right away if the client does not have an IMAP
connection already established.
-- 
Regards,
   Jaroslaw Rafa
   raj at rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

More information about the dovecot mailing list