[Dovecot] Limit login attempts per connection?

Stan Hoeppner stan at hardwarefreak.com
Fri Mar 5 23:13:12 EET 2010


Eric Rostetter put forth on 3/5/2010 2:20 PM:

> It can, in some cases, indeed.  But not in all cases...

I think I was pretty clear in stating each sysadmin needs to evaluate what
countries do/don't need to access his/her IMAP ports.

> I think you did a great service by pointing this out on the list, and
> that many will find this a useful tip.  However, I'm not sure I agree
> with your opening statement that "It's good policy" since that statement
> is very broad, whereas policies are so site/application specific...

Security policy needs to be very broad, does it not?  It's good policy to
preemptively block service access from netblocks in those parts of the world
that a sysop deems will never need legitimate access to systems under his
supervision.  Is it not?

The key here Eric is the identification and classification process.  The
U.S. government, large multinationals, and some higher ed institutions will
probably identify the fact that they probably can't use a default deny
policy for most systems because there are users in potentially every
country.  For many other organizations, of all sizes, they may never have a
legit user in Bhutan, China, Paraguay, or Zaire needing to access their
systems.  In these orgs, it makes no sense not to ban such IP space.  Good
security must be proactive, not reactive.  Be proactive everywhere you can.

Good security practice is broad by nature, and is applicable to all sites
and applications.

-- 
Stan




More information about the dovecot mailing list