13 Apr
2019
13 Apr
'19
12:05 a.m.
On Fri, 12 Apr 2019, mj wrote:
What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset.
"www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists?
That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot.
Really helps with uber-stupid BFD attacks that pound our plaintext ports even though Dovecot repeatedly responds with
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
xx NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.The irony is that even if it blunders onto a usable password, they wouldn't know it.
Joseph Tam jtam.home@gmail.com