Lou Duchez wrote:
Ed W wrote:
Lou Duchez wrote:
This arrangement is designed to trap POP3 and IMAP separately, and also to allow a high number of errors before temporarily "jailing" a user. This is to decrease the likelihood that a single user from a single IP will get all his coworkers (temporarily) banned over an honest mistake in configuration.
I have noticed recent breaking attempts which appear to be a slow coordinated botnet using multiple IPs and trying a combination of SMTP + POP + IMAP (can't remember if it did both of the later or just POP?). As a result I tried to combine all three into a single test.
Actually I did the wrong thing, but if you look through my previous posts you can see someone (Bill?) correct me and post the correct config for thisI would recommend you be aware of this - in my case I was seeing less than a few attempts from a given IP in a 10 min period, but lots of what appeared to be coordinated attempts at the server level. (eg some servers were only trying a few logins per day, but across enough IP addresses this was a fairly rapidly filling the logs)
Good luck
Ed W
Thanks for the heads-up! Okay then, perhaps the best solution is to make use of the "ignoreip" setting in jail.conf to protect known IP addresses, something like this:
(snip)
Or even smarter: create a single filter file called smtppop3imap.conf, and use that same filter for SMTP, POP3, and IMAP. Here's what the filter would look like:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
The first regex will cover SMTP authentication errors generated by Postfix. The second regex is for Dovecot and authentication errors with POP3 and IMAP.
Sorry to keep posting iterative improvements; every time I think I'm done, I come up with something better (and perhaps worth sharing).