Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?
Anvar Kuchkartaev anvar@anvartay.com
For a global filter, that is filter all accounts, I use the data provided by ip2location. I put the CIDRs for all the countries where I don't plan on sending or retrieving mail in the ipfw firewall. Block all mail ports other than 25.
Noye by not blocking 25, you can still receive email independent of the countries you blocked. You just can send or retrieve via pop/images.
This assumes an email server using 587.
I have an extensive list of IP space consisting of hosts, VPN, and VPS that I also keep away from the server excluding 25. Basically you can block IP space that you don't expect to use. Since my server is just for me, I can get very aggressive in blocking.
Original Message From: anvar@anvartay.com Sent: October 15, 2017 6:43 PM To: dovecot@dovecot.org Subject: Filtering by country
Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?
Anvar Kuchkartaev anvar@anvartay.com
Another good alternative is to use auth_policy_server along with Weakforced (https://github.com/PowerDNS/weakforced) to do this filtering. It has GeoIP support, and since dovecot does auth policy lookup before and after user authentication, you can set some cos attribute in the user's account and pass that on to weakforced so it knows to refuse the login if it comes from unexpected country.
Aki
On October 16, 2017 at 5:21 AM Gary <lists@lazygranch.com> wrote:
For a global filter, that is filter all accounts, I use the data provided by ip2location. I put the CIDRs for all the countries where I don't plan on sending or retrieving mail in the ipfw firewall. Block all mail ports other than 25.
Noye by not blocking 25, you can still receive email independent of the countries you blocked. You just can send or retrieve via pop/images.
This assumes an email server using 587.
I have an extensive list of IP space consisting of hosts, VPN, and VPS that I also keep away from the server excluding 25. Basically you can block IP space that you don't expect to use. Since my server is just for me, I can get very aggressive in blocking.
Original Message From: anvar@anvartay.com Sent: October 15, 2017 6:43 PM To: dovecot@dovecot.org Subject: Filtering by country
Is it possible to filter out logins by country (I would like to limit dovecot instance users to log in only from specific countries)?
Anvar Kuchkartaev anvar@anvartay.com
participants (3)
-
Aki Tuomi
-
Anvar Kuchkartaev
-
Gary