On 30.3.2012, at 16.25, Andy Dills wrote:
However, when we have the front-end server do a static director proxy, the problem is that authentication failures are logged on the back-end server with a source IP of the proxy, and no authentication failure with the client IP address is logged on the proxy. So, fail2ban (which is a MUST these days, at least for us) will not be able to properly filter out the brute force attackers.
This is a simple fix (and something you should do anyway): Add the proxy's IP/netmask to login_trusted_networks setting in the remote server. For this to work with POP3 you need v2.1.2+.
My solution was an alternative: I authenticate with our /bin/checkpassword on the proxy, which authenticates the user and only at that point returns the proxy=y nopassword=y switch to proxy the connection and forward the authentication.
Hm. Doesn't it do that even without nopassword=y?