21 Jun
2023
21 Jun
'23
2:46 a.m.
From: "André Rodier"
chain input { # Limit new imap connections ala fail2ban meta nfproto ipv4 tcp dport imaps ct state new,untracked \ limit rate over 10/minute add @banned_imap_ipv4 { ip saddr }
I'm don't know all the subttlties of this rule, but there are some mail clients (MacOSX Mail comes to mind) that will bombard your IMAP server with new connections when it does a global search. It will open a new connection for each mailbox, then do a search. When your connection limit is reached, it will then close all the open connections and do another round.
This may be interpreted as a BFD attack, and you'll lock out a legitimate user.
Joseph Tam <jtam.home@gmail.com>