Hi All,

This is my first posting here, and maybe I should have found this WAY back in January, '23, if not LONG before. I want to be but I find it difficult here to be brief. ... Surely background will surely help:

A 27 or so year old Fedora / Postfix / Dovecot site I built had a major disaster in January and I've not yet been able to fully recover because Dovecot has let the damned spammers in again and again and again and again! OH, sure, I got it down to a trickle, but these few Russian sites always managed to get their spam through and I just had to shut Dovecot down entirely. I never found out how they got in, etc. And I've STRONGLY suspected Dovecot got cracked - at least the modern version in the youngest version for the youngest Fedora we had back in January - uh, Fedora Server 37 - I've forgotten the matching Dovecot version.

In the disaster, we lost /var but not /etc, so I figured recovery would be easy and for nearly everything, it was. But NOT Dovecot (and insofar as it matters, Postfix), and in these 5+ months I've tried so many things, I'm sure I've forgotten most of them and I don't know that a retroactive look is worth doing.

...I kept some notes that might be useful if anyone wants to see the evidence of the cracking, but in short, I kept a constant watch on the logs and when ANY relay happened that shouldn't, I'd instantly know it and shut things off entirely. However, that became untenable as I couldn't find the problem and had to just shut it off, pissing off users, etc, but I've had to do things like spend a month and a half traveling, and so forth and, well... Life goes on, as the saying goes.

---

NOW I want to try again.

It's my perception that it's a waste of time to even LOOK at the old Dovecot configuration stuff. I feel I need to REMOVE it ALL, and I could use some help being SURE to get it all gone. And then I think I need to do a FULL new installation. Overkill? IDK.

I could use some advice about SAFE ways to make changes and test to ensure we do NOT become an open mail relay EVER AGAIN.

ALSO WORTH SAYING is that if Dovecot were all that damned safe and secure I wouldn't so easily be able to propose a new feature that would make a HUGE difference to sites like mine: Give me a white-list of the ONLY accounts that can relay; NOTHING ELSE can relay. ... THAT would do it! But no! Neither in Postfix nor dovecot is there such a thing!

Combine that with a greylist type function where the usual IP addresses for particular users were let through, and new ones delayed, THAT would be awesome, too! And this isn't even all that hard to do - I could do it if I didn't already have a thousand obligations in life!

And if someone tells me I'm wrong and points me at how to do these things, I'll fall out of my damned chair! And after picking myself up, I'll find a way to send that person some sort of gift. THIS WOULD HAVE SOLVED ALL MY PROBLEMS. And I'm sure MANY others could use this, too!

---

THIS configuration:

I'd like to find a way to have both virtual and our existing "unix accounts" users.

IF we had an IMAP supported password CHANGING scheme, we'd gladly run encrypted passwords, but there isn't, and we haven't invented (finished inventing!) our own web-way to change 'em and so we're stuck with plain text until one of these things changes.

BTW, isn't this a HUGE and OBVIOUS hole that should have been fixed decades ago?! If a major provider like the Dovecot.org team added a way to update passwords to the IMAP protocol, all the rest of the folks would follow along for sure! OR, "is that a thing" and I'm just ignorant of it?

So, again, plain-text, in cram, of course. What else? Coach me on "the right way" if you want, but if users can't change it themselves, they'd rather I can retrieve it for them if needed... I'm sure the corporate world doesn't do it this way, but their code isn't open source, or am I wrong?...

---

In closing I don't actually anticipate ANY help.

My father, an even earlier computer user than me, once observed, "you can ask for information until you're blue in the face, and nobody will say a thing, but post the WRONG thing and a hundred people will post to point out you're wrong!"

GIVEN how EASY it is to have your email system become an instant open relay at the hands of the spammers out there, how the hell Dovecot can advertise the way it is WITHOUT a serious guide about this is just frustrating and laughable. But I'd love to be shown where they DO help with this!

Thanks for any and all help,
Richard

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org