On 09/01/2026 11:08, Lefteris Tsintjelis via dovecot wrote:
Hi,
Is there a way to block with RBLs? I already have a really good and very trustworthy and accurate internal one that works extremely well and fast with my SMTP servers for years now. Is there a way to apply the same RBL to dovecot? Logs are really going crazy as they stopped with SMTP and started with IMAP for a while now since dovecot is wide open to these attacks. Anvil does not seem to do much here. I am looking for solutions other than fail2ban or anything similar to this.
Lefteris
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Lefteris
for smtp port 25 incoming email the use of RBLs is a consolidated practice but for smtp auth the use of RBLs may not be so easy to apply and I think the same goes for IMAP authentication.
I find it useful (both on Postfix and Dovecot) to apply XBL to block connection to authenticated services. For me it works, but I have a very low probability that legitimate users will connect from ip addresses on XBL. Others have mentioned that it is not generally feasible if you have a lot of users from dynamic ips, due to the potential of recycling of blocked ip addresses to legitimate users.
In Dovecot if I remember correctly Aki previously mentioned that it would be possible to use LUA scripts to do RBL looks prior to authenticating, something that is on my to do list for future investigation.
In the meantime I run a locally patched version of Dovecot. I added an "rbl_check" parameter to the protocol section, so it can also be configured for managesieve as well as imap and pop3. I also took the step of making protocol error limits configurable and then setting them to a very low value (in my case 1). I think legitimate clients don't need much space to make protocol errors so I am not too lenient.
John