[Dovecot] feature request: deny IP address via database
Hey folks. One feature I'd really like to see in dovecot is the
ability to point it at a database (with a configurable query) and
have it allow or deny a connection based on looking up the source IP
address in that database.
I run Postfix, and I've got it configured to use a database server
for its smtpd_client_restrictions checks. Ideally I'd like to point
dovecot at the same database table. I have external tools that
maintain that table.
I was thinking of writing it myself, but I'm running 1.0.10; I'd
assume that any such modifications would need to be rewritten for
1.1. Then I got to thinking that such functionality would likely be
useful to people other than just me, so..
Thoughts?
-Dave-- Dave McGuire Port Charlotte, FL
At 12:20 PM -0400 4/7/08, Dave McGuire wrote:
Hey folks. One feature I'd really like to see in dovecot is the ability to point it at a database (with a configurable query) and have it allow or deny a connection based on looking up the source IP address in that database.
I run Postfix, and I've got it configured to use a database server for its smtpd_client_restrictions checks. Ideally I'd like to point dovecot at the same database table. I have external tools that maintain that table.
I was thinking of writing it myself, but I'm running 1.0.10; I'd assume that any such modifications would need to be rewritten for 1.1. Then I got to thinking that such functionality would likely be useful to people other than just me, so..
Thoughts?
Is there any reason to do this at the application layer rather than the network layer for Dovecot?
Note that using smtpd_client_restrictions in Postfix *does not* make it deny connections, it just makes it reject mail that is offered on connections. It seems to me that for SMTP it is fairly normal to have IP space that you'd want to reject mail from conditionally, such as depending on whether/how the client authenticates or to allow mail to standard role accounts. That sort of conditionality that is only possible at the application layer makes an argument for smtpd_client_restrictions in Postfix in some cases rather than blocking at the network layer (i.e. a packet filter on the host of an external firewall.) I don't see the same sort of cases for IMAP or POP where you'd want to share a list of not-quite-totally-evil IP addresses with Postfix or anything else, rather than just barring access completely.
It is possible to restrict specific users to login via specific networks by using a custom PAM module, the allow_nets extra authentication field, or a custom checkpassword script. You also *might* be able to build a SQL query string using the %r variable and some sort of conditional logic so that authentication from 'bad' IP's fails.
--
Bill Cole
bill@scconsult.com
On 4/7/2008, Bill Cole (dovecot-20061108@billmail.scconsult.com) wrote:
Hey folks. One feature I'd really like to see in dovecot is the ability to point it at a database (with a configurable query) and have it allow or deny a connection based on looking up the source IP address in that database.
Is there any reason to do this at the application layer rather than the network layer for Dovecot?
I agree...
Fail2ban is perfect for this...
--
Best regards,
Charles
On Apr 7, 2008, at 5:02 PM, Charles Marcus wrote:
Hey folks. One feature I'd really like to see in dovecot is the
ability to point it at a database (with a configurable query) and
have it allow or deny a connection based on looking up the source IP address in that database.Is there any reason to do this at the application layer rather
than the network layer for Dovecot?I agree...
Fail2ban is perfect for this...
Hi! Thank you for your suggestion. I agree that fail2ban is Very
Good Stuff, but not for my application. For a lone Linux box on the
end of a DSL pipe that does everything including its own firewalling,
it's clearly the right thing. My application, on the other hand,
involves a sizeable cluster of Solaris machines that do nothing
handle nothing but mail, with centralized configuration management,
and the firewall is elsewhere. What you suggested would be ideal
advice for many (maybe even most) applications, but in thise case I
"really do" want specifically what I asked for. :)
-Dave-- Dave McGuire Port Charlotte, FL
On Apr 7, 2008, at 4:58 PM, Bill Cole wrote:
Hey folks. One feature I'd really like to see in dovecot is the
ability to point it at a database (with a configurable query) and
have it allow or deny a connection based on looking up the source
IP address in that database.I run Postfix, and I've got it configured to use a database
server for its smtpd_client_restrictions checks. Ideally I'd like
to point dovecot at the same database table. I have external
tools that maintain that table.I was thinking of writing it myself, but I'm running 1.0.10; I'd
assume that any such modifications would need to be rewritten for
1.1. Then I got to thinking that such functionality would likely
be useful to people other than just me, so..Thoughts?
Is there any reason to do this at the application layer rather than
the network layer for Dovecot?
Yup...see my last post on this topic.
Note that using smtpd_client_restrictions in Postfix *does not*
make it deny connections, it just makes it reject mail that is
offered on connections.
Yes, I'm aware of that (I'm pretty comfortable with Postfix) but I
appreciate your pointing it out. I'm sorry for my overly loose
description above.
It seems to me that for SMTP it is fairly normal to have IP space
that you'd want to reject mail from conditionally, such as
depending on whether/how the client authenticates or to allow mail
to standard role accounts. That sort of conditionality that is only
possible at the application layer makes an argument for
smtpd_client_restrictions in Postfix in some cases rather than
blocking at the network layer (i.e. a packet filter on the host of
an external firewall.)
Yup, I'm right with you there.
I don't see the same sort of cases for IMAP or POP where you'd want
to share a list of not-quite-totally-evil IP addresses with Postfix
or anything else, rather than just barring access completely.
...but here, I have seen a number of correlations (oddly) between
dictionary attacks against my IMAP ports, dictionary attacks against
SMTP authentication, and relay attempts. I have stuff in place that
adds, and later removes via a time-based expiration scheme, the
offending addresses to the database for smtpd_client_restrictions to
chop them. The ability to have that table apply to POP3 (for those
few still using it) and IMAP, as well as the SMTP authentication
requests, would be Awfully Nice here.
But as I explained in my other message on this topic, the big deal
is sharing that list across machines running dovecot in a pseudo-load-
balanced configuration. All of my dynamic configuration information
(everything not in dovecot.conf) is stored in a centralized database,
with no local state other than currently-active connections. And if
one IMAP server is getting hammered on by a dictionary attack from a
zombie Windows machine, I want *all* of the servers to block (but
log!) those connections. I suppose I could probably hack together
some method of inserting statements in the access lists on the border
routers (Cisco IOS) but that's a bit dangerous for my taste.
It is possible to restrict specific users to login via specific
networks by using a custom PAM module, the allow_nets extra
authentication field, or a custom checkpassword script. You also
*might* be able to build a SQL query string using the %r variable
and some sort of conditional logic so that authentication from
'bad' IP's fails.
I could investigate that a bit...that is an interesting idea.
-Dave-- Dave McGuire Port Charlotte, FL
On Mon, 2008-04-07 at 12:20 -0400, Dave McGuire wrote:
Hey folks. One feature I'd really like to see in dovecot is the
ability to point it at a database (with a configurable query) and
have it allow or deny a connection based on looking up the source IP
address in that database.
passdb sql { args = dovecot-sql-deny.conf deny = yes }
Where the dovecot-sql-deny.conf has something like:
password_query = select 1 from deny_ips where ip = '%r'
participants (4)
-
Bill Cole
-
Charles Marcus
-
Dave McGuire
-
Timo Sirainen