On Fri, 2011-03-04 at 12:16 +0200, Mark Zealey wrote:
I've had a look through the wiki and a quick look through the source for penalty configurations (dovecot 2.0.9) but I've not found anything to do with configuration options for this functionality. I'm basically wanting to disable a particular host/subnet from the penalty setup. In our case we have some webmail servers that do get attacked however most of the traffic is legitimate so I'd rather that the user experience was faster (ie not having a few seconds of delay on login) than that we slowed down attacks from them.
http://hg.dovecot.org/dovecot-2.0/rev/bf6749d4db08 http://hg.dovecot.org/dovecot-2.0/rev/73cad87e2045
And set login_trusted_networks = webmail
On a similar note; is it possible to do the per-ip login limit in the auth level rather than the imap/pop level? I ask this as we've just implemented a proxy setup whereby we have two frontend proxy servers that then dispatch to backend servers specified in the database. So, the backend servers do the actual imap/pop sessions however we now don't see the remote ip addresses so it becomes difficult to limit abusive users.
Add proxy IPs to login_trusted_networks and this problem goes away.
The 'doveadm who'/process listing code also doesn't work on the proxy servers even though dovecot knows who logged in and forwards the connection through to the backend servers.
After setting login_trusted_networks you can do this on the backend servers and they show the user's real IP. doveadm who isn't supposed to work in proxy servers and I'm not sure if it ever will.