On 03/02/2015 05:34 AM, Joseph Tam wrote:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
then setup fail2ban to manage extrafields
Now that's a very interesting idea, thank you! I will investigate this.
If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any better.
My firewall can handle that without breaking a sweat. I just haven't found a way (that I'm comfortable with) to automatically inject rules into it from a machine on the network.
Doing it via a DNSBL is an elegant solution to the problem, IMO. It offloads the IP address indexing to the DNS server; BIND (and most anything else I'd imagine, but I run BIND) uses a pretty respectable in-memory btree system which gives fast lookups. (well, at least that's what it used the last time I looked at its internals)
I myself just want a mechanism to deny certain IP addresses when I spot them, regardless of the implementation. But anything that offloads my mail servers from anything that doesn't involve serving mail makes me happy.
-Dave-- Dave McGuire, AK4HZ/3 New Kensington, PA