On 04 Feb 2014, at 10:40 , Marc Perkel <marc@perkel.com> wrote:
It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
Thoughts?
Use the right tool. Fail2ban (or denyssh) do this sort of limiting quite well. One of them even has a feature that allows you to sync bad IPs with other people (denyssh, I think).
Also, postfix will check an RBL, so if you simply put in your check in master.cf for your submission port, there’s no reason for dovecot to try to redo something others already do.
Something like this in postfix
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o reject_rbl_client = myrbl.local -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o syslog_name=submit-tls
YMMV
-- I have seen the truth and it makes no sense.