[Dovecot] Dovecot LDA and address extensions - folders flood

Charles Marcus CMarcus at Media-Brokers.com
Wed Jan 11 21:25:24 EET 2012 

On 2012-01-11 2:05 PM, huret deffgok wrote:
> On Wed, Jan 11, 2012 at 7:04 PM, Charles Marcus wrote:
>> On 2012-01-11 1:00 PM, huret deffgok wrote:
>>> This post is slightly OT, I hope no one will take offense. I was
>>> following the wiki on using dovecot LDA with postfix and
>>> implemented, for our future mail server, the address extensions
>>> mechanism: an email sent to
>>> "validUser+foldername@**mydomain.com<validUser%2Bfoldername at mydomain.com>"
>>> will have dovecot-lda automagically create and subscribe the
>>> "foldername" folder. With some basic scripting I was able to
>>> create hundreds of folders in a few seconds. So my question is
>>> how do you implement this great feature in a secure way so that
>>> funny random people out there cant flood your mailbox with
>>> gigatons of folder.

>> Don't have it autocreate the folder...
>>
>> Seriously, there is no way to provide that functionality and have the
>> system determine when it is *you* doing it or someone else...
>>
>> But I think it is a non problem... how often do you receive plus-addressed
>> spam??

> None from now.  But I was thinking about something like malice rather than
> spamming. For me it's an open door to DOS the service.
> What about a functionality that would throttle the rate of creation of
> folders from one IP address, with a ban in case of abuse ? Or maybe should
> I look at the file system level.

Again - and no offense - but I think you are tilting at windmills...

If you get hit by  this, you will not only have thousands or millions of 
folders, you'll have one email for each folder. So, the question is, how 
do you prevent being flooded with spam... and the answer is, decent 
anti-spam measures.

I prefer ASSP, but I just wish you could use it as an after queue 
content filter (for its most excellent content filtering and more 
importantly quarantine management/block reporting 
features/functionality). That said, postfix, with sane anti-spam 
measures, along with  the most excellent new postscreen (available in 
2.8+ I believe) is good enough to stop most anything like this that you 
may be worried about.

Like I said, set up postfix (or your smtp server) right, and this is a 
non-issue.

-- 

Best regards,

Charles

More information about the dovecot mailing list