My email server is set up for port 587. I block all email ports other than port 25 from countries that I will not be sending or receiving email. This is really only practical on a personal server. I also have a blocking file of data center IPs. Port 25 is still open to the world but that has to be the case.
Firewalls are a bit ram intensive but not CPU intensive.
I am not saying this is perfect. Rather I have reduced the number of jerks that can access my email. Prior to running my own email server, I used a hosted service. I got hacked from an exploit in roundcube from Morocco. I don't use webmail and while I'm sure Morocco is a fine country, I don't need email access from there. This is why I now run my own email.
Original Message
From: johannes@rohr.org Sent: April 22, 2020 5:30 AM To: dovecot@dovecot.org Subject: Recommendations on intrusion prevention/detection?
Dear all,
what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Cheers,
Johannes