Am 04.03.2015 um 20:12 schrieb Michael Orlitzky:
On 03/03/2015 11:03 PM, Earl Killian wrote:
On 2015/3/2 10:03, Reindl Harald wrote:
that is all nice
but the main benefit of RBL's is always ignored:
- centralized
- no log parsing at all
- honeypot data are "delivered" to any host
- it's cheap
- it's easy to maintain
- it don't need any root privileges anywhere
we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere*
so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all
I would like to reiterate Reindl Harald's point above, since subsequent discussion has gotten away from it. If Dovecot had DNS RBL support similar to Postfix, I think quite a few people would use it, and thereby defeat the scanners far more effectively than any other method. It is good that other people are suggesting things that will work today, but in terms of what new feature would be the best solution, I can't think of one better than a DNS RBL.
Please add this support to iptables instead of Dovecot. It's a waste of effort to code it into every application that listens on the network.
Combined with "--ctstate NEW" and a chain for IMAP packets, it would be no less efficient
you don't want a dns client in a kernel module with full permissions and you will never convince any sane kernel developer doing that nor does it much help for the users on a different operating system
dovecot is not linux only
In the case of HTTP, IMAP, etc. things are not so easy. Just think about NAT and CGN
that don't matter
if i blacklist a client because he starts a dictionary attack in SMTP i want it also bock on IMAP without use a dozen of different tools because teh via IMAP now catched account password will be used for send spam later when the SMTP RBL entry expires
and frankly that 100% trustable RBL lives *before* "permit_sasl_authenticated" because it would be pointless anywhere else
ordinary blacklists are score based on the MX, that is a complete differet machine with no business for POP3/IMAP or even outgoing mail