[Dovecot] Using checkpassword to block ips?

Larry Ludwig larrylud at gmail.com
Mon Jun 16 02:04:05 EEST 2008

Hi new to the list, but we are a long time user of Dovecot via DirectAdmin
control panel.
We, like everyone else, are seeing an increase in dictionary attacks of
POP/IMAP.  We want to block them.
I've searched the mailing list and found a few recommended fail2ban, which
really won't work for our case. We need to do this over many machines and
not one or two.  We also like to gather info at the network wide level.
Hackers know about attacking specific server/ips too often and we've seen
much more distributed attacks that go under the radar of one server
monitoring setup.
We've designed our own system and use a local RBL to distribute the blocked
IPs.  For ftp and ssh attacks it's worked very well.  We would like to use
the RBL to do the same with dovecot.
>From my research it appears the best way to do this (and only currently) is
with the checkpassword option.  I haven't gotten it to work yet.  We have:
        passdb checkpassword {
                args = /usr/local/bin/checkpassword 
                deny = yes
As the first auth..  This should reject the connection if the IP matches.
checkpassword can see TCPREMOTEIP enviornmental variable.
In the checkpassword script we have:
sub read_uinfo {
  open X,"<&=3" or exit 111;
  $_ = <X>;
  # ugly; should use sysread instead
  ($user,$passwd,$apop_ts) = /^(.*)\0(.*)\0(.*)\0/;
  while (<X>) {};
  close X;
  return ($user,$passwd,$apop_ts);
$result=system("/usr/sbin/checkdnsbl $ipaddr");
if ( $result == 0) {
        @ENV{"SHELL","USER","HOME"} = ($shell,$user,$home);
        exit 0;
else {
        exit 1;
My questions are as follows:
- Can the deny = yes be used with checkpassword?
- What am I doing wrong with the script?  It should reject only the
connections that are in the RBL.  It blocks all

Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed and Unmanaged Xen VPSes


More information about the dovecot mailing list